The Fraud Blog with Tracy Kitten

Execs Say Hackers Are Primary Concern

Insider Threats Are Secondary Worries
Execs Say Hackers Are Primary Concern

In a recent survey conducted by Symantec, executives from cross-sector industries agreed external hackers are more concerning to enterprise IT security than internal or insider threats.

According to the global 2011 State of Security Survey, which Symantec published Wednesday, 29 percent of the 3,300 businesses that were surveyed said their organizations experience cyberattacks on a regular basis; 71 percent saw attacks in the last 12 months. And one in five businesses said they've seen an increase in the frequency of attacks, citing top attack vectors as malicious code, social engineering and external malicious attacks.

Nearly half of the respondents characterized security threats from hackers as being "somewhat" or "extremely" significant. And about one-third said they have concerns about state-sponsored attacks.

Symantec's poll also revealed concerns about insider threats. But relative to threats from hackers, insider threats came in a solid second. About 46 percent said they have concerns about inadvertent compromises accidentally waged by well-meaning insiders, while 44 percent said they have concerns about malicious insiders.

It's good that executives understand insiders pose risks, but are they misguiding their attentions and security investments by focusing too much on external threats and not enough on thwarting internal fraud?

This is what I like and dislike about surveys. In truth, it's anyone's guess.

Executives in the Symantec survey estimated financial losses associated with cyberattacks in 2010 cost the average small business at least $100,000, while the average loss for a corporation or enterprise was approximately $271,000.

Those are significant losses, but compare them to losses we've seen within the banking industry, attributed to insider fraud.

In June, the arrest of former Citi employee Gary Foster revealed an alleged embezzlement of more than $19 million from Citi and its customers over a six-month period. Foster's intricate yet relatively simple scam, which involved ACH and wire, flew under the radar.

And remember that internal breach Bank of Americarevealed in May, the one that involved the sale of accountholder details for 300 bank customers in California and other Western states? While working for BofA, the employee allegedly leaked personally identifiable information, such as names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances, to a ring of criminals. Losses associated with that breach were estimated to be in the $10 million range, and that only includes what was drained from customer accounts.

Shirley Inscoe, author of "Insidious: How Trusted Employees Steal Millions and Why It's So hard for Banks to Stop Them," says most banks have done a poor job of keeping up with internal threats. [See Database Security Policies Needed.]

I have to agree. And according to insights I gathered this week from other industry experts, the focus on internal threats should be heightened during times of economic downturn, when industry layoffs increase.

Banks around the world have been cutting jobs and salaries as a result of lost revenue and unstable stock prices. Earlier this month, BofA announced plans to cut 3,500 jobs. UBS, Citigroup, ABN Amro, Barclays, Credit Suisse, Goldman Sachs, HSBC, Lloyds, and Wells Fargo also have announced similar plans to reduce expenses by cutting staff.

"Fraud threats always rise during times of economic downturn, where people do things they wouldn't ordinarily do due to financial duress," says Aite financial fraud analyst Julie McNelley. "To that extent, the internal fraud threat will be elevated as the economic downturn persists. Layoffs can add to that threat, as disgruntled employees try to inflict some damage as they leave."

Banks are aware of the risks, but it's not easy to mitigate without constant technology investments.

"Even though banks have steps and technology in place, it's easy for insiders to get around some of this," says financial fraud expert George Tubin. "In some cases, there has been fraud that's gone on for 20 years."

Basing internal threats on psychology or a change in behavior or lifestyle is tricky. "It's not very accurate, and you can't always catch everything," Tubin says.

"From a technology standpoint, you can monitor what data and systems your internal staff is accessing," he adds. "If somebody grabs a file with a lot of customer information on it, let's find out why they accessed it."

But without constant updates and new investments, banks and credit unions are not going to be able to keep up. Remember, the people within your organization know your systems better than any outsider, and as soon as you implement something new, it won't take them long to figure out how to get around it.

Managing risk and mitigating losses has to be a fluid, ever-evolving process, one that requires diligence, perpetual attention and safeguards that keep you from overlooking the seemingly little stuff.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.