Identify your unknown unknowns and protect your organisations from corporate fraud and insider threats

With more employees working from home, fraud and insider threat are on the rise. But where, as an organisation, do you begin to look for these threats – the unknown unknowns? New technology can help, says Mark Bishop

recent study of three million workers across 16 global cities revealed COVID has consigned the traditional nine-to-five day to history (if it wasn’t already). What’s more, 16% of US workers say they will be working from home after COVID and with the second wave currently sweeping across Europe it feels as if this will be the norm for a while longer.


While there is no doubt that working from home brings numerous benefits and fears that productivity will suffer are largely unfounded, with more workers out of the office and working alone it does increase the potential for fraud and insider threat. But knowing this and being able to do something about it are two totally different things. Fraud analysis and corporate threat are two problems fundamentally centred on identifying the unknown. But where do organisations begin looking and what do they look for?


In this blog post I summarise a presentation I gave during Behavioural Analysis Week highlighting the shortcomings of traditional methods and showing how modern techniques can help by removing the substantial barrier of actually knowing what to look for.

 If you don’t know what (or when) you are looking for, where do you start? 


In practical terms, what do you type into your search bar? This is not a new problem and over 2000 years ago Plato himself mused that if you know what you are looking for enquiry is unnecessary, and if you don’t know what you are looking for enquiry is impossible. Therefore, enquiry is unnecessary or impossible. While the logic is infallible it’s not very helpful to a modern organisation. The solution that Plato suggests relies on his theory of recollection, wherein knowledge exploration and discovery is merely our recollection of timeless forms from a period long before our immortal souls were imprisoned inside our physical bodies. And, once again, while one shouldn’t question the veracity of the solution, it’s not very practical in the days of home working which is why FACT360 relies on AI and unsupervised machine learning.


If you know what you are looking for enquiry is unnecessary…


Typically, technology for insider threat detection focuses on security information management (SIM) and security event management (SEM) deploying models of known values and norms to highlight unusual behaviours. Information governance processes such as SIM and SEM identify and track access to so-called critical value data and flag unusual network activity. But this relies on defining the critical data in the first instance and identifying threats it may face. Therefore it is only really a defence against what you already know, what former US Secretary of Defense Donald Rumsfeld called the ‘known knowns’.  And while user and entity behaviour analytics can be used to flag anomalous network activity, these techniques can miss hostile action that mimics normal behaviour.


Luckily there is a solution. And it is a rare instance when ignorance is bliss as there is no need to identify the threat in the first place.


Ignorance can be bliss


FACT360’s solution was inspired by ‘traffic analysis’ developed by Gordon Welchman during the Second World War at the UK’s Bletchley Park. Welchman’s techniques examined the characteristics of enemy messages, such as volume, direction and time, rather than the message content itself. And it is his techniques that FACT360 has built upon and now applies to corporate communication networks detecting subtle changes in behaviour characteristic of covert activity.


FACT360’s analysis treats each communication across a corporate network as a ‘transaction’ with the subsequent transactional analysis the first stage of the process identifying the key people and events. Using emails and, when available, phone and meeting records, it can model the communication of everyone within an organisation and then, by highlighting anomalies in the data, it reveals automatically the unknown unknowns highlighting potentially critical behavioural change.


And while it can gain significant insight without analysing the content of messages it takes the analysis one stage further using natural language processing to identify and group clusters of related communication, revealing the key concepts being discussed across the various corporate communication channels.


The final stage is anomaly detection. Here we use changepoint analysis to identify subtle break points in the communication time series where relevant change has occurred. And this can successfully detect important changes even when they are invisible to the naked eye. By dynamically highlighting behavioural change across employee communication networks, FACT360 can flag in real time any suspicious communications.


Using these techniques technology can be deployed for real-time insider threat detection, highlighting subtle change in communications and it can also be used to focus purely on historical data and expedite the investigation and evidence gathering process during fraud investigations. In other words, it helps you identify your unknown unknown threats, providing some certainty in these uncertain times. 

Mark Bishop

Mark Bishop is chief scientific officer at FACT360 and a former director of TCIDA (The Centre for Intelligent Data Analytics) and professor of cognitive computing at Goldsmiths, University of London. He has been invited to advise on AI policy at the UN, EC and UK.