The estimate is that just one Bank of America employee who stolepersonally identifiable customer information has cost theinstitution $10million in losses it has had to cover.

That crook was arrested, but the question on many lips is howmany more insiders are looting credit unions and banks by pilferingdata, not cash, but information?

“Management at many institutions is focused on the threats posedby outside hackers. They are not looking at insider threats,” saidAlan Brill, a senior executive at security firm Kroll. “But we don'tthink the insider problem has ever gone away.”

All eyes lately are on DDoS and AdvancedPersistent Threats – but this may be ignoring a much biggerand more dangerous threat: theenemy within.

“Financial institutions spend money on perimeter controls –firewalls, for instance – but what protections do they have againstthe thief who already has a valid employee badge to get into thebuilding,” asked Greg Blate, managing director of the VeritasSolutions Group, which focuses on security.

Here's the difficulty: financial institutions literally have1,000 years of experience balancing their books and notingirregular teller behavior. Short a till $10 and it will be detectedand investigated.

But what about those customer credit reports? How well are theyguarded? Understand: they are worth real money. “On black marketswe see those reports going for $5 to $35 and higher,” said RandyRomes, asecurity investigator with CliftonLarsonAllen in Minnesota.

Credit unions are chockablock with highly valuable data. Everyloan file has worth to a criminal interested in identity theft.Credit card information is worth money to a crook who wants to makefraudulent purchases. And the problem is that it's not deleted.There isn't less of it when a thief is done looting. It's a crimeof copying and that makes detection difficult.

Worse still – between BYOD (Bring Your Own Device) policies andthe proliferation of free Internet tools to expedite file sharing(such as Dropbox), “it's a perfect storm,” said Brill.

Worse still, many employees are downright cavalier about dataand its protection. New research from Symantec found that 62% sayit is acceptable to transfer work documents to personal computers,tablets, smartphones or online file sharing applications. And 56%do not believe it is a crime to use a competitor's trade secretinformation.”

Would they think sharing your secrets is wrong?

Many also think it's fine to take an employer's information withthem to their next job.

“People just don't think it's wrong to take data,” said RobertHamilton, an expert with Symantec.

That attitude underlines why this is such an enormous threat tofinancial institutions, and the magnitude of the threat wasaccentuated by an FBIwarning that it had intel suggesting that organized crime wasseeking to infiltrate associates into banks and credit unions withthe intent of using them not to steal money but information thatcould be turned into money.

What are credit unions doing to protect themselves?

A lot less than many wish.

Asked point blank about the protections he has in place againstemployee information theft, the CEO of an under $50 millionCalifornia credit union admitted, “None. Please don't print myname. I don't want criminals applying for jobs here. But we havenone. I don't think we have needed them. Most of my employees havebeen here for years. We know each other. But with all thecompliance costs we face, I don't have the budget for anotherexpense.”

That may be the industry norm, experts suggested.

Protections do exist, for institutions with budget. Usually twotactics are prescribed. One is software that looks for unusualnetwork activity – say 2 a.m. runs through credit files of high networth customers. The other hunts for and flags designated content,such as Social Security or credit card numbers.

When it finds an employee accessing this sensitive information,the system notes what's occurring, by whom, and will forward anemail to a supervisor and/or a security professional. Some systemsalso can be programmed to shutdown irregular activity, thus keepingmost of the data in the building.

The controls work, said experts. At what price?

The CEO of a $300 million California credit union said that hisinstitution uses specialty analyzer software that monitors theinstitution's network 24/7. He put the one-time cost at $500. Thesoftware's job is to stay alert to traffic on the network and, inparticular, to note traffic anomalies (such as transferring manycredit files at an unexpected time).

The same credit union also owns an Oracle Data Pump thatprovides fine-tuned insights into what data is in motion on thenetwork. He put the cost at $15,000. “We monitor data as it movesin and out of the IT room.”

The same institution also prohibits employees from copyinginformation to a thumb drive –that capability has been disabled atworkstations, said this CEO who requested anonymity because he didnot want to publicly go on the record about his institution'sprotections.

Does he feel safe? He said he feels much safer than he wouldwithout these protections but it also is a game where criminalsoften seem to have a head start and credit unions have to catchup.

“So many credit unions think, our people would never do this tous,” he added. “I hope not. But you just don't know. That's why wehave protections. You don't know.”