Threat of the Week: The Enemy Within
The estimate is that just one Bank of America employee who stole personally identifiable customer information has cost the institution $10 million in losses it has had to cover.
That crook was arrested, but the question on many lips is how many more insiders are looting credit unions and banks by pilfering data, not cash, but information?
“Management at many institutions is focused on the threats posed by outside hackers. They are not looking at insider threats,” said Alan Brill, a senior executive at security firm Kroll. “But we don’t think the insider problem has ever gone away.”
“Financial institutions spend money on perimeter controls – firewalls, for instance – but what protections do they have against the thief who already has a valid employee badge to get into the building,” asked Greg Blate, managing director of the Veritas Solutions Group, which focuses on security.
Here’s the difficulty: financial institutions literally have 1,000 years of experience balancing their books and noting irregular teller behavior. Short a till $10 and it will be detected and investigated.
But what about those customer credit reports? How well are they guarded? Understand: they are worth real money. “On black markets we see those reports going for $5 to $35 and higher,” said Randy Romes, a security investigator with CliftonLarsonAllen in Minnesota.
Credit unions are chockablock with highly valuable data. Every loan file has worth to a criminal interested in identity theft. Credit card information is worth money to a crook who wants to make fraudulent purchases. And the problem is that it’s not deleted. There isn’t less of it when a thief is done looting. It’s a crime of copying and that makes detection difficult.
Worse still – between BYOD (Bring Your Own Device) policies and the proliferation of free Internet tools to expedite file sharing (such as Dropbox), “it’s a perfect storm,” said Brill.
Worse still, many employees are downright cavalier about data and its protection. New research from Symantec found that 62% say it is acceptable to transfer work documents to personal computers, tablets, smartphones or online file sharing applications. And 56% do not believe it is a crime to use a competitor's trade secret information.”
Would they think sharing your secrets is wrong?
Many also think it’s fine to take an employer’s information with them to their next job.
“People just don’t think it’s wrong to take data,” said Robert Hamilton, an expert with Symantec.
That attitude underlines why this is such an enormous threat to financial institutions, and the magnitude of the threat was accentuated by an FBI warning that it had intel suggesting that organized crime was seeking to infiltrate associates into banks and credit unions with the intent of using them not to steal money but information that could be turned into money.
What are credit unions doing to protect themselves?
A lot less than many wish.
Asked point blank about the protections he has in place against employee information theft, the CEO of an under $50 million California credit union admitted, “None. Please don’t print my name. I don’t want criminals applying for jobs here. But we have none. I don’t think we have needed them. Most of my employees have been here for years. We know each other. But with all the compliance costs we face, I don’t have the budget for another expense.”
That may be the industry norm, experts suggested.
Protections do exist, for institutions with budget. Usually two tactics are prescribed. One is software that looks for unusual network activity – say 2 a.m. runs through credit files of high net worth customers. The other hunts for and flags designated content, such as Social Security or credit card numbers.
When it finds an employee accessing this sensitive information, the system notes what’s occurring, by whom, and will forward an email to a supervisor and/or a security professional. Some systems also can be programmed to shutdown irregular activity, thus keeping most of the data in the building.
The controls work, said experts. At what price?
The CEO of a $300 million California credit union said that his institution uses specialty analyzer software that monitors the institution’s network 24/7. He put the one-time cost at $500. The software’s job is to stay alert to traffic on the network and, in particular, to note traffic anomalies (such as transferring many credit files at an unexpected time).
The same credit union also owns an Oracle Data Pump that provides fine-tuned insights into what data is in motion on the network. He put the cost at $15,000. “We monitor data as it moves in and out of the IT room.”
The same institution also prohibits employees from copying information to a thumb drive –that capability has been disabled at workstations, said this CEO who requested anonymity because he did not want to publicly go on the record about his institution’s protections.
Does he feel safe? He said he feels much safer than he would without these protections but it also is a game where criminals often seem to have a head start and credit unions have to catch up.
“So many credit unions think, our people would never do this to us,” he added. “I hope not. But you just don’t know. That’s why we have protections. You don’t know.”