The Fraud Examiner

Leaving the Door Open: When Fraud Happens From the Inside

Misty Carter, CFE, CIA, CISA 
Research Specialist, Association of Certified Fraud Examiners                                 

In 2016, the Ponemon Institute conducted a study to examine the financial impact insider threats pose to an organization. Based on results of the study, the total average cost of insider incidents was approximately $4.3 million annually — with the largest cost resulting from contractor and employee negligence (68%) and malicious insiders (22%). Breaches due to employee and contractor carelessness cost organizations $2.2 million annually, while those related to malicious insiders cost organizations $1.23 million per year. In addition, incidents by malicious insiders cost an average of $347,000 to resolve, while incidents due to employee carelessness cost organizations an average of $206,000. The findings of this study emphasize the need for organizations to be alert to insider threats by malicious insiders and internal weaknesses that contribute to employee negligence.

Insiders do not always act alone and they may not even realize they are being used as part of a fraudulent scheme to obtain data. For example, an employee might unknowingly click on a link in an email from an unknown source that automatically installs malware on their computer. Once compromised, the perpetrator can use the employee’s computer to exploit the organization’s networks and data systems, thus causing an external data breach due to internal negligence. Some examples are:

  • In August 2016, Whitehead Nursing Home was fined £15,000 when an employee took home an unencrypted laptop that was later stolen. The laptop contained medical information for 29 of Whitehead’s residents, including mental, physical and do-not-resuscitate records. The computer also contained data on 46 Whitehead staff members, such as disciplinary actions taken against employees and reasons for absences or sick leave. The data breach occurred because Whitehead had inadequate processes for data security and lacked adequate data protection training for their staff.


Sign In

Not a member? Click here to Join Now and access the full page.