Asset 1
Reimaging Your Approach to Insider Risk: Adopting an Intent-Based Approach to Threat Detection

Abstract

When insiders engage in misconduct, they typically do so on a date and time of their choosing. While conventional solutions market their effectiveness in reactively identifying wrongdoing, they rely on rules-based detection engines. To uncover any suspicious behaviors by an insider, which includes those involving employees, contractors, or trusted partners, the activity must violate a rule. Yet by the time an insider violates a rule, the scheme is often in progress and inflicting losses in some shape or form. 

Moreover, sophisticated insiders have ample opportunity to test a firm’s internal control environment for areas of weaknesses to exploit. As a result, their actions may never set off an internal trip wire. In fact, firms often uncover insider misconduct by accident. Additionally, the longer misconduct takes place, the greater the potential for financial losses, as well as increased regulatory scrutiny.  

What if your firm could establish an insider’s intent, well before they engaged in misconduct? 

Using an intent-based technology solution to analyze written and spoken communications, your firm can uncover an employee’s attitude to the firm, ethics, and potentially, their intent to engage in misconduct, long before they put a plan into action. That’s possible when firms use a solution that combines natural language processing (NLP)  and machine learning. Such an approach can unlock the intelligence hidden in mountains of written and spoken communications data created by insiders.       

Introduction

Whether an insider intends to leave your firm, engage in fraud or sabotage, or conduct themselves in a way that violates your policies, their intent to do so often appears in their communications, long before the act. 

Yet while an insider may signal their intent in spoken or written communications, firms need the appropriate tools to locate and analyze those communications quickly, before the employee puts a plan into action. The more lead time a firm creates, the more likely they’ll be able to stop the misconduct, or limit the extent of the damage and compliance problems it creates.

In the aftermath of an insider becoming involved in misconduct, investigators routinely access their communications, including email, voicemail, and recorded calls. Hindsight coupled with these communications often helps establish an insider’s attitude towards ethics and their willingness to consider engaging in misconduct months, and sometimes years before they actually do so. 

While such information can help guide investigators should they interview the insider, or if they cooperate with law enforcement, these findings can provide a painful lesson on the ramifications for failing to detect the insider’s plans sooner. 

Simply put: the clues often hide in plain sight, waiting for firms to discover them.

Breaking a Rule Isn’t Enough 

So why do firms struggle when it comes to detecting insider misconduct? Often, there’s a problem with the type of technology the firm uses. Conventional solutions use a set of rules to detect suspicious activity. Such tools prove effective under two conditions. First, the insider’s activity must correspond with the rules embedded within the software’s engine. For example, if a firm wishes to receive notifications for transactions over a certain amount, a rules-based approach can often satisfy that requirement. 

Second, a firm must possess the bandwidth to review and resolve every suspect in a timely manner. Unfortunately, every scheme does not fit neatly with the schemes created by a software provider. And while many software packages allow for customization, due to the fear of missing a critical transaction, firms often overload their detection engines with rules that may or may not lead to suspicious transactions. 

More importantly, a rules-based approach alone misses the point. It’s necessary but not sufficient in uncovering wrongdoing. In particular, it fails in a significant way as it is beyond its capabilities to determine an insider’s intent.

Establishing Intent

How employees think, feel and intend to act doesn’t exist in structured data and doesn’tlend lend itself to rules-based approach or simple keyword searches. Far from it. An insider’s emails, phone calls, instant messages, and voicemails provide a window into their state of mind and their views about the firm and what they plan to do with their privileged access in the future. 

However, having access to such data is just one piece of the puzzle. Establishing an insider’s intent embedded within their communications requires context. Words are meaningless without some mechanism to establish intent. 

That’s where keyword-based detections leave a lot to be desired. Searching for certain words or phrases requires an understanding of how employees communicate. It also requires the ability to establish context regarding how those keywords and phrases fit within the communications itself.

Keywords and phrases also generate mountains of suspicious communications that require manual review to establish context. For firms without the resources to review every transaction, sampling a percentage of the suspicious communications they uncover is their only option. Inevitably, even the most sophisticated approaches to statistical sampling can result in the failure to select communications associated with misconduct. Even if the sample proves accurate, by the time a compliance professional or investigator reviews a suspect, weeks or more may have passed by, making the information stale and often unactionable. 

Improving Your Understanding and Connection with Employees

While uncovering misconduct is one of the primary benefits of using NLP to analyze communications, there are additional benefits for firms who adopt itwilling to use it. For a multitude of reasons, firms spend inordinate amounts of time, effort, and expense to maintain an open line of communication with insiders. From surveys, to town hall meetings, to open-door policies, firms create multiple channels for insiders to communicate. Nonetheless, how an insider feels about the firm, or how they plan to act in the future often appears in their written and spoken communications. Analyzing such communications using the right tool can uncover all manner of issues, from the mundane to the serious.

Consequently, firms can potentially reduce turnover by reengaging those who have become disengaged. For those intent on leaving the firm, forewarning can limit the insider’s access to critical infrastructure and data that they otherwise might feel entitled to disrupt or steal. 

Just as importantly, the more lead time a firm has regarding an insider’s plans to engage in misconduct, the more effective they will be in limiting the damage or stopping the activity entirely.

On multiple fronts, the use of NLP coupled with machine learning can provide firms with unparalleled insight into the minds of insiders, without overwhelming their compliance team, the information technology department, or management in the process. Such an approach isn’t limited to English, either. Once a firm perfects its detection models for English, it can transfer them to a foreign language.

Using NLP, firms can establish context and meaning by analyzing communications for their sentiment, emotions, and intentions in English or in a foreign language. Gaining this perspective converts the written and spoken word into actionable insights to support regulatory compliance while mitigating the losses associated with misconduct.

Written By
Robert Patrick

Senior Director of Product Management