Insider threat

While most fraud risk to New Zealand’s public sector is external, occasionally someone inside an organisation may be motivated to use an organisation’s assets for personal gain. In New Zealand, the most common risks include fraud, intellectual property theft, and corruption. A breach of trust within an organisation could also be an information leak, privacy breach or sabotaged system.

Who could be an insider threat?

People are the most valuable asset of an organisation – but they can also be a source of weakness. A range of motivations could make a person susceptible to committing fraud, and fraud risks can come from any level of the organisation. 

Various employees across an organisation could have access to sensitive or valuable information. Even if this information is not valuable to an employee, it might be valuable to an external party who could provide financial incentive to access it for their own benefit.

Insider threats can be unintentional or intentional. Unintentional insider threats cause harm due to negligence or without malicious intent. For example, an employee might intentionally bypass security processes that they do not believe to be important, or they may have a genuine gap in their knowledge about behaviours expected of them. 

An intentional insider threat is an employee who breaches security processes or procedures to purposely cause harm to an organisation. As insiders, they may know the weaknesses in their organisation’s systems and use stealth or deceit to access restricted information or make unauthorised decisions. 

Know where your organisation might be vulnerable

Bad actors may target public sector agencies and their employees to access sensitive information or decision-making processes. Organisations should assess what resources or information they hold that could be valuable, and put additional security or protective measures in place in those areas. 

Information    

Identity information is particularly valuable, as it facilitates identity fraud and theft. The most vulnerable agencies will be those with significant data holdings, particularly those that have access to law enforcement information or large volumes of identity and credit card information. 
An increasing number of public sector organisations, large and small, collect identity information and could be targeted. Agencies that have large amounts of data accessible by numerous employees will be most at risk. It is important that security systems are maintained and that employees have access only to systems necessary for their role. 

Decision-making processes

Decision-making and regulatory processes could be targets for insiders looking to benefit from decisions going their way. This might include procurement decisions, awarding contracts or grants, or decisions relating to property and investments. Agencies that process licences or visas can become targets. Research from other jurisdictions has shown the security, construction, gaming and liquor industries present attractive opportunities to fraudsters. 

Work areas

Along with frontline staff, those in administrative and information technology areas may have access to sensitive information or the ability to conceal improper actions. To determine which work areas might face the highest risk, agencies should consider:

• their information, decision-making powers, goods and services
• any vulnerabilities associated with their employees
• their work and security practices. 

Public sector organisations must also consider how they share their information and systems. Although a public agency may have identified internal high-risk work areas, they may remain vulnerable where information and systems are shared with other agencies or where functions are outsourced to private providers.

Motivations for insider fraud and corruption

It is important that employers recognise the triggers for someone to carry out a malicious attack. Sometimes an employee may be struggling financially, or they may have faced a significant life event. But remember, just because one or more of these factors is present does not always prove malicious intent.

Financial benefit

Financial benefit is the most common motivation for committing fraud or corruption. This may include an employee facing financial difficulty through gambling addiction or other debts. The desire for wealth may be driven simply by greed. In some instances an employee may want to be perceived as being wealthy and will try to maintain a lifestyle that is beyond their means. 

Workplace discontent

Discontent towards an organisation is a significant motive for the intentional misuse of privilege and access to systems. In some cases, employees may feel like they have been wronged by an organisation, particularly if they missed out on a promotion, increased remuneration or recognition in their role. 

Job insecurity

Pressure from financial downturns and job insecurity can increase fraud risk as employees look to supplement their incomes. Employees facing financial hardship may be more inclined to accept offers from external bad actors, or they might be more motivated to carry out actions they otherwise would not have considered.

Remote working

The shift to working from home or flexible working arrangements presents an information security risk, while also creating opportunities for fraud through a lack of oversight. Organisations that have remote working arrangements should carry out pressure testing on new security controls to ensure effective security measures are in place. 

Relationships

An employee’s relationships can be a form of pressure. Family members, friends and members of some communities are drivers for exploitation if employees feel responsible for them. Under the influence of a corrupt outsider, an employee may unwittingly become a malicious insider. Relationships can complicate the intention behind a malicious act, with perpetrators becoming unknowing pawns for others whom they believe are acting innocently. 

Conflicts of interest, not properly managed, can also harm an organisation. Conflicts of interest can arise when private or personal interests run counter to the public interest and are likely to occur through personal, family or community relationships. 

Red flags of insider threat

There are a number of red flags that may indicate that someone is acting maliciously against an organisation. Remember that the presence of any of these common signs does not automatically mean you have an insider threat. However, it may pay to speak to someone about it or keep a record of your concerns. 

Changes in behaviour or significant life events

• More nervous or anxious than normal.
• Receives calls from outside work that cause stress.
• Becomes suddenly wealthy without explanation.

Concerning or unusual behaviour 

• Under the influence of drugs or alcohol.
• Makes extreme statements that show bitterness or anger – especially towards the organisation and its work or more senior colleagues.
• Does not want to take leave, is nervous about others acting in their position, or is possessive about certain pieces of work.
• Has an unusual interest in choosing new employees.

Changes in work performance or habits

• Poor work performance.
• Unusual working hours – especially repeated afterhours access.
• Unexplained absences or travel.

Security violations

• Breaches security processes repeatedly, or deliberately does not follow security policies.
• Asks others to overlook security breaches, such as not wearing an identification tag or carrying a security pass.
• Attempts to access sensitive information or restricted areas.
• More interested than normal in sensitive information (especially information they would not usually have access to).
• Attempts to access (or successfully accesses) restricted areas that are outside their normal responsibility.
• Takes videos, photos or notes around sensitive information.

Responding to insider threats

To adequately detect and deter the risk of an insider threat it pays to monitor and respond to any suspicious or disruptive behaviours. Regular monitoring can also detect unsuccessful attempts to exceed authorised access. Sometimes an employee may accidentally breach a security control. If they had previously been seeking to harm an organisation but were unsure how to do so, this breach could encourage them. Ensuring there are no opportunities for them to act maliciously will help to minimise any ability to sabotage the system. 

Background and pre-employment checks

Comprehensive background checks prior to employment should reveal if previous employers had any concerns. An organisation should carry out pre-employment checks on everyone, including when employees from within an organisation change roles. This applies particularly to those working in high-risk areas such as finance and procurement, and should not be skipped just because of a person’s work experience or seniority. 

Security controls

Technology such as firewalls, access controls and encryption are a vital first line of defence against malicious activities. If security systems and controls are in place, maintain them and keep them up to date. Controls or countermeasures should be consistently enforced and there should be consequences for employees at all levels where they might have been breached. Privilege slide refers to someone taking their system privileges with them when they move roles within an organisation. Make sure that access controls are only appropriate for the new role. Removing privileges as soon as an employee has shifted roles will ensure that access is granted only to the correct staff.

Tone from the top 

Setting the tone from the top is important to embed an ethical culture in an organisation, where it is well understood that corrupt or fraudulent behaviours will not be tolerated. The right tone fosters a culture of zero tolerance for all forms of bribery and corruption. The strength of an ethical culture depends on individuals at each level within the organisation committing to do what is right. When those in senior positions are seen to uphold the rules, policies and processes of the organisation, those rules are taken seriously by employees. If decision makers are transparent in their actions and show the rationale for their decisions, staff are less likely to feel resentment.

Clear avenues for reporting

The Protected Disclosures (Protection of Whistleblowers) Act 2022 facilitates the disclosure and investigation of serious wrongdoings in the workplace. The act covers a number of integrity issues and seeks to provide protection for those who report malicious insiders. Whistleblower reporting continues to be one of the primary methods of detecting corrupt or malicious conduct by an employee. Those working alongside a malicious insider may be the first to notice any changes in behaviour. Employers should work to ensure that all employees are able to recognise the red flags, and are aware of the steps they must take if they suspect suspicious behaviour from their colleagues.

More information

• New Zealand legislation website: Protected Disclosures (Protection of Whistleblowers) Act 2022(external link)
• Ombudsman website: Serious wrongdoing at work (protected disclosure)(external link) 
• Find out more about the seven common fraudster personas
• Find out how employees perceive your organisation’s fraud control activities
• Read case studies about New Zealand organisations that fell victim to fraud
• See how a robust and well-structured procurement process is the first line of defence against procurement fraud and corruption