John Beale was one of the highest paid government employees. A 10-year veteran of the Environmental Protection Agency (EPA), Beale defrauded the Federal Government of nearly $1M in employment wages and fraudulent travel.  Beale came under suspicion after it was noticed that the he was still being paid wages 19 months after his “retirement”. This began to shed light on his blatant and elaborate schemes to defraud the agency on the taxpayer’s dime.

He was paid for over two and a half years of “work” where he claimed to be serving on a project with the Central Intelligence Agency but was not working at all.  He rang up over $57,000 in travel expenses for an uncompleted project, many times expensing meals near his home in California when he was supposed to be travelling in another city or state.  To top it off, he fraudulently obtained a parking spot worth $200 per month based upon claims he contracted Malaria while serving in Vietnam. This was also not true.

Beale is a prime example of an insider threat. A well-established and trusted employee whose extensive experience allows them to commit a variety of types of internal fraud.

"The individual" is a prominent focus in today’s cybersecurity training.  Often referred to as “the weakest link”, an organization’s employees are frequent entry points for cyber criminals into a secure network environment.  Meticulous phishing schemes have become common, making it even more difficult to safeguard assets.  Security groups have stepped up training to help staff members spot questionable emails or social engineering attempts to obtain internal information. However, the threat will persist as mistakes are an unavoidable part of human nature.

Employees also introduce other risk to an organization, unrelated to any external hacker influence.  Employees serve in positions that can be ripe with fraud – such as Procurement.  Other positions also present a fraud risk, such as customer service representatives with access to personally identifiable information, internal program management, IT or administration, and systems administrators who often have broad reaching access to the organizations network environment.  While most employers vet potential job candidates, and the government will subjects certain positions to  security clearance background investigations, the risk still remains as individual’s circumstances and motivations can change overtime.  The FBI’s Robert Hanssen of the FBI, NSA contractor Edward Snowden, and US Army Private Manning all illustrate national security incidents, where security clearances failed to deter abuse of trust.  Agencies must develop policies that acknowledge that internal risks evolve, even at the individual employee level.

In all fairness to the EPA, who was subject to additional inquiries that surfaced a myriad of fraud and questionable practices, the John Beale situation really could have happened to any organization.  The fact is, most organizations may have policies and even controls in place, but they are rarely enforced and often completely overlooked.   For agencies, it’s difficult to turn the attention inward among the ranks of “our own”.  As human beings, we want to trust one another, especially those we have known for years.   However, recent events, including Beale’s fraud, have proven that organizations can no longer ignore these risks – and coupled with the external threats such as cybercrime – it’s imperative to improve prevention and detection of internal risk.

Employees can be an organization’s greatest assets, and its most vulnerable weakness.  Training and formal programs are a good start towards ensuring the integrity of an organization, but executives and security professionals must be proactive in looking at internal risk and where it can occur. The procurement process, individual employment wages or expenses, sensitive data and classified information are all ripe for insider attack.  Government organizations may not have profit margins or shareholders to motive them in addressing internal fraud, but they do have (and themselves are) taxpayers who ultimately end up paying the price.