Cyber Crime and Financial Institutions: Recent Study Results and Lessons Learned
In 2003 and 2004, the U.S. Secret Service and Carnegie Mellon University joined efforts to conduct a unique study of illicit cyber activity. The study focused on incidents committed by “insiders” – individuals who were, or previously had been, authorized to use the information systems they eventually employed to perpetrate harm.
The study divided the affected business and industry victims into several sectors. This article will focus on insider incidents involving the banking and finance sector which includes businesses such as credit unions, banks, investment firms, credit bureaus and others. It examines 23 incidents carried out by 26 insiders between 1996 and 2002. Of the 23 incidents, 15 involved fraud, four involved theft of intellectual property and four involved sabotage to the information system/network.
The results of this study are summarized here in hopes it can help you improve your IT security practices. The information below represents seven major findings observed across the insiders and incidents studied in the banking and finance sector. We’ll end with a summary of lessons learned from these incidents.
Finding 1: Most of the incidents were not technically sophisticated or complex. They typically involved exploitation of non-technical vulnerabilities such as business or organization policies. They were carried out by individuals who had little or no technical expertise.
Finding 2: Most of these incidents were thought out and planned in advance. In most of the incidents, others had knowledge of the insider’s intentions and were often directly involved in the planning or stood to benefit from the activity. These “others” sometimes involved coworkers, friends and family members.
Finding 3: The insiders were sometimes motivated by revenge, dissatisfaction with management, culture or policies or a desire for respect, but the primary motive was for financial gain. Twenty-seven percent of these insiders were experiencing financial difficulties at the time of the incident.
Finding 4: No common profile of the perpetrator emerged from the study. Job assignment, age, sex, race and marital status varied. Most did not hold a technical position, did not have a history of “hacking” or engaging in technical attacks and were not perceived as problem employees. It is noteworthy however, that more than 25 percent of the insiders had a criminal record prior to their incidents. A significant number were known as disgruntled employees, difficult to manage or displayed some concerning behavior prior to the incident.
Finding 5: Incidents were detected by a variety of methods. Most were discovered by non-security persons. More than one-third were discovered by customers. One-third were detected by security professionals and approximately one-third by supervisors or other non-security personnel. The insiders were caught primarily by manual or non-automated procedures, system failures or irregularities, or by existing auditing or monitoring procedures.
Finding 6: The victim organizations were the ones who suffered the loss. Nearly all of the victim organizations experienced financial losses. Losses ranged from $168 to more than $691 million.
Finding 7: Most of the perpetrators committed the acts at the workplace and during normal work hours. More than 80 percent of the incidents took place physically from within the organization. Others were carried out from the insiders’ homes through remote access and half of these involved some action at the workplace as well.
Here is a brief summary of the lessons learned from this study. Following these suggestions might prevent your organization from becoming the next victim of cyber crime committed by an employee or former employee:
• Evaluate your IT security procedures. Secure your network from the full range of users. Minimal technical skill was required in most of the incidents involved in this study.
• Incidents were planned in advance. Others are frequently aware of suspicious activity. Develop awareness training for employees and provide a process for reporting such activity.
• Financial gain was the primary motive in these cases. Stick to a rigorous audit and reconciliation policy. When terminating employees, discontinue their access to your system BEFORE they are told of the termination. This may help prevent sabotage attempts by the disgruntled employee.
• Understand that common perceptions about who might commit crimes can be misleading. Criminal record checks on prospective and current employees can be revealing. Train managers to identify and deal with employees identified as difficult to manage.
• Incidents in the study were identified by a variety of methods. Conduct security awareness training and create a work environment where all employees understand the importance of their participation in safety and security responsibilities. Continually evaluate your auditing and monitoring procedures.
• The victim bank or financial organization suffered the financial losses in these cases. Conduct vulnerability studies. Determine who has access to your assets and the type of access. Develop and continually evaluate access controls.
• If remote access to your system by employees is necessary, limit the employee’s remote access to critical data/information. Develop a policy to monitor remote log-on information. Investigate any suspicious or unusual activity.
The full text of this Insider Threat Study can be found on the U. S. Secret Service Web site at www.secretservice.gov.
J. Branch Walton is president of the National Association for Bank Security – Profit Protection LLC in Ft Lauderdale, Fla. He is a retired Secret Service agent, former Indiana University faculty member and former director of corporate security for Cummins Engine Co. He may be contacted via e-mail at firstname.lastname@example.org.