I remember this insider versus outsider threat business blowing up about 5-10 years ago, when surveys were finding apparently contradictory numbers: external threats and attacks are far more numerous but most are trivial, while insider threats and attacks are more insidious, more successful and (probably) far more costly in total. It makes sense than insiders have the long-term access, insider knowledge and plenty of opportunities to explore and probe weaknesses in internal controls. Frauds, in particular, involve deliberate deception and concealment, so I am 100% certain that we don’t know about all of them. On top of that, management are much less willing to admit to insider problems than external ones, so even good surveys are probably underestimating the scale of the insider problem.

There’s another issue here too – the matter of plausible deniability. It is much easier for a wayward insider to claim he/she ‘accidentally’ tried to access the wrong system, ‘borrowed’ a colleague’s account, ‘clicked the wrong button’ or whatever, than for a hacker or other outsider to come up with a legitimate excuse for the same. That gives insiders the time to explore and probe the controls at will without much fear of discovery or recrimination. Large frauds tend to be preceded, I gather, by small frauds and incidents in which the fraudsters test out their approach, confirm that the preventive and detective controls are missing or inoperative, and plan The Big One. Outsiders may only have one reliable chance to commit the fraud, so they are more likely, I suggest, to go straight for The Big One.

Anyway, thanks for setting me thinking this morning!

Kind regards,
Gary