In October, the IRS and the U.S. Treasury Department’s Inspector General for Tax Administration announced the latest indictment of an IRS employee who stole multiple identities and used them to open fraudulent credit-card accounts to fund $70,000 worth of vacations, shoes and other goods. The complaint accuses the 35-year-old federal worker of illegally using “the true names, addresses, dates of birth, and Social Security numbers” of at least three people.
An IRS call center employee pleaded guilty to illegally using taxpayer data to file fraudulent tax returns, while another admitted to improperly accessing the personal information of two taxpayers, amassing close to half a million dollars from illicit tax refunds.
On the heels of International Fraud Awareness Week in late November, it’s important to recognize that insider threats can take many forms.
For example, it was widely reported that delegates attending the 2013 G20 summit in St. Petersburg, Russia, were given USB storage devices and mobile phone chargers laden with malware designed to steal information. Sprinkling around infected USB sticks with an organization’s logo is an old tactic that can bring an organization to its knees. In short, we are all vulnerable.
In light of such incidents, the Federation of Tax Administrators stepped up efforts to educate tax agencies about the importance of employee activity oversight by engaging organizations like Carnegie Mellon University and SAS to teach agencies about insider threat monitoring.
While all of this may seem daunting, here is some basic guidance that can help an agency launch an insider threat monitoring program.
How State and Local Tax Agencies Can Start an Insider Threat Program
Many tax agencies have solid risk management offices in place that can serve as the foundation of a program. It’s a significant undertaking, so don’t let perfection be the enemy of the good.
Start small with the goal of initial operating capacity and have a long-term roadmap to full operating capacity when budget and resourcing permit.
There are three phases to reach initial operating capacity: Initiation, development and implementation.
Prepare Your Organization for a Major Shift Around Security
It’s best to plan and prepare the organization during the initiation phase for the paradigm change around employee security. Focus on baselining operations (as-is documentation) with your CIO, CISO and security managers. Document which insider threat ecosystem components and staffing are already in place and note their maturity level. This will shape all future direction and investment decisions.
Next, build your corporate team responsible for strategy and operations. Expand beyond executive leaders to include informal nonexecutive decision-makers and stakeholders such as employees from legal, IT, human resources, security, business divisions, labor unions, etc. They are often the lifeblood of the organization, and their support will be essential. Your long-term goal should be a completely independent insider threat team that ensures proper separation of duties and objectivity. A committee (such as an insider threat council) of key personnel is a good starting point.
Create your business case to justify the expenditure of resources. As a cost center, the program will need both startup and continued operating expenses that go along with the roadmap. The program must show stakeholders how the program will support their missions. Keep focus on value to business, not a role as gatekeeper. Don’t forget to include unintentional employee threats as a risk in your business case. Even the best employees make mistakes that can cause damage to the organization and taxpayers.
Once your business case has been approved and funded, you will begin to assemble your full insider threat team beyond the insider threat council. The former is your daily operational team, while the latter is more like a board of directors for the program. Identify and assign the work roles. There does not have to be a full-time equivalent for each role; they can be part-time. Seek to hire for human capital shortfalls. These teams are typically small and cross-functional, and include trusted and vetted staff from risk management, investigations, law enforcement, security and IT.
Conduct a Risk Assessment and Create an Action Plan
The next phase kicks off with a risk assessment that identifies and prioritizes several things:
- Critical assets, aka the “crown jewels” (taxpayer data or other sensitive data, refunds or refund vouchers, money in cashiering system, intellectual property, etc.)
- Potential human resource threats (employees, contractors, custodians)
- Known organizational vulnerabilities (loopholes in business processes, security gaps, lack of background or financial disclosure checks/rechecks)
Use these to assess your overall risk level and consider the estimated cost to protect. The ideal roadmap is a mixture of these constraints.
Using the results of the assessment and associated cost analysis, develop your action plan. This is your roadmap for implementing business processes, controls, solutions and countermeasures. This usually includes your core team, stakeholders, and vendors (if you’re looking externally for IT solutions).
Develop a roadmap driven by your highest-priority risks, with appropriate solution sets. People and process solutions are less expensive and may be entirely sufficient for some risks (e.g. continuous employment background checks).
However, for others, technology may be the only efficient option to effectively mitigate the risk (e.g. improved monitoring of employee email traffic, call logs and/or taxpayer account adjustments). Match solutions to each of the risks identified.
The next step is to develop an operating framework and policies. Strong policies with executive-level support and enforcement will be the glue that holds the entire program together. Include mechanisms for corporate leadership engagement (annual or quarterly briefings) and develop strategy documents and policies that support your action plan.
The best monitoring program will fail without obtaining employee support. Communicate how security can improve the work environment rather than focusing on employee wrongdoing. Employ positive messaging around prevention of workplace violence and protection of intellectual property and taxpayer data loss. Without employee support, the program will lose credibility, which could lead to employee turnover and other unintended consequences. Develop a messaging and communications plan and deliver the message — preferably from senior leadership, not the insider threat team.
Set Up an Insider Threat Monitoring System
Your action plan should include a data-driven, automated insider threat monitoring system. Determine what data sources you have available and map them back to the solutions developed in your action plan. Create data-sharing agreements. Understand the shape of the data (structured vs. unstructured) and what it will take to exploit it. Evaluate technology solutions appropriate for your data sources (text mining) and seek solutions that map well to your data sets. Map resources to analytic needs.
Develop a response capability for efficiently investigating and responding to insider threat alerts triggered either by the system or other means, such as tips and leads. Different types of threats (misconduct, policy violations, fraud, IP theft, sabotage) might have different processes.
Having an objective, fair and transparent investigation process ensures all employees are treated fairly and that the correct sequence of actions is taken to support possible legal prosecution. If necessary, consult legal and forensic authorities on how to do this properly. Determining workflows is critical (how responses will be handled, including roles and responsible officers).
Even an oversight team needs oversight. We call this “watching the watchers.” Create an entity or assign a person outside the insider threat team to ensure any potential conflicts of interest are mitigated and the program complies with existing legal and privacy requirements. This step will require the identification of resources and the creation of policy and procedures documents, reporting metrics/mechanisms, and feedback loops (lessons learned) into the insider program itself.
Final Words of Advice to Combat Insider Threats
If you’ve gotten this far, congratulations. You have started an insider threat program. I recommend it be designed and implemented separately from your integrated tax system initiative to prevent would-be foxes from watching the hen house. Work with a vendor who has done this before to save yourself time, money and frustration. And remember, insider threat programs aren’t big ROI generators. Until you hit the big one, they are cost centers. Therefore, executive support and sponsorship is critical.
The first step toward getting somewhere is to decide that you are not going to stay where you are. Tiptoe if you must but take that first step.