Wealthy staff, not hackers, often thieves

Companies are being duped more by their own employees than by external hackers when it comes to cyber fraud, according to KPMG Forensic associate director Stan Gallo, and those employees are often high earners.

(Pickpocket Macro May 24, 20103 image by Steven Depolo, CC BY 2.0)

Gallo presented his talk on corporate identity theft and fraud at Attachmate Group's A Powerful Connection 2011 event today in Sydney, revealing that the typical fraudster isn't your average, scruffy-looking bedroom hacker, but more likely an insider within the corporation.

In 65 per cent of all fraud cases, insiders tap into an organisation's IT systems, secretly siphoning off money from the company, or selling intellectual property.

One example that Gallo provided was a mother who helped herself to $1.2 million on top of her $40,000 salary by gaming the company's invoicing system. Working in the accounts-payable department of the company, she noticed that payment details were being stored on a shared network drive. After editing the file to fill her own account, she would wait until repeat invoices would be issued, and then abuse her position to approve the payment, hiding it among the other several thousand payments that the company made to cover her tracks.

Although the average amount stolen in Australia was $229,000 per incident, Gallo said that women tended to steal much more than men. Yet, in general, the thefts were more likely to have been perpetrated by a man.

The culprits were motivated by greed rather than by necessity, with the typical fraudster earning an average salary of $113,000, according to Gallo. He said that the lifestyle brought to people by the stolen money was more likely to be the motivation behind thefts, rather than the stereotypical gambler needing to fuel their addiction.

This also meant that in 60 per cent of fraud cases, Gallo and his team were unable to recover what was stolen since it was gone. He said that when they do manage to get some money back, it's only about 9 per cent of what is stolen.

Gallo's profile of fraudsters aren't what people would normally expect. They often have no known history of dishonesty in the past and have been employed for five years, with three of those in their current position. He also said that fraudsters only tend to be detected 12 months after the theft has taken place.

One of the issues that leaves companies vulnerable, Gallo said, was their approach to focusing on external threats only.

"When you think security, everyone has a rock-solid external security procedural policy in place, but employees have trust, and they exploit that," he said.

Despite that, he said that he is beginning to see external attacks rise, not because internal threats are reducing in number, but because companies outside of the financial industry are also letting their guard down over external security.

"The corporates are being identified as not as secure. They're not putting money into security that the big banks do. The big banks have reputation issues. The corporates tend to be more restricted in terms of cost funding."

He said that companies continue to make the mistake of thinking that once they have their security locked down, or that by being compliant with relevant codes or standards, they are secure.

"[Companies can't say] 'Yes, we've done it today, our security's great' and then forget about it, because in two years, three years [or] five years, the world will change, and that security will be redundant. It needs to be flexible, and move with you. It's not just a one-time cost."

Borrowing a popular phrase that's often thrown around in the security industry, Gallo said that compliance doesn't equal security, but that security can equal compliance.

"It's not just about compliance. If you can take the proper processes to build that security in, then you can be compliant, but you can be better. But if you just do it for compliance, then that isn't a tick to say, 'Yes, we're secure'".