Jamie DavisJamie Davis, Education and Product Manager

There are thirty-three reported breaches in 2010 for financial institutions as of the first of June.  These thirty-three breaches have led to 1,817,328 known records being compromised and many more unknown at this time.  Here is a breakdown of where these breaches originated:[1]

Employee intentional

  • Former employee access
  • Current employee access
Employee accidental

  • Stolen laptops (from office)
  • Virus/Malware
  • Stolen backups
  • Incorrect procedure
Vendor 1
Hack 4
Software vulnerability 2
Social engineered/ATM skimming 5
Unknown 1

What the numbers above represent is who or what was at fault.  I’ve always theorized that employees are the greatest threat to information security for financial institutions.  These numbers strongly back up this premise.  Sixty-one percent of the breaches examined related in some way to an employee’s actions.  If the data above holds true for the rest of 2010, the number one threat to information security is not a phishing scam, nor your network being hacked, not even a social engineering scheme; It is simply your employees not following procedures or being allowed access to too much information without the appropriate controls and monitoring.

Think back to the past year. How much did you spend on firewalls, IPS, security monitoring, vulnerability testing, etc.?  Probably thousands of dollars were spent in services, hardware, maintenance fees, etc.  How much did you spend on training your employees?  How much did you spend on software, hardware, and services to limit and monitor employee access?  In many cases, this number is much less.  You could argue that those thousands of dollars spent on the security of your communications have led to the lack of issues in this area.  I would agree.  With breaches in this area being low, this is money well spent in the information security of your institution.  You could argue that the cost to the institution of being “hacked” is much higher than most employee related issues that occur.  In many circumstances this is true also.  If you include the financial loss, reputation hit, and customer reaction to a notification of being hacked, your investment is well spent.

The numbers above represent a definite need for more focus on the employee risks.  If the following recommendations had been done, many of the employee issues above could have been avoided:

  • Change Control process followed when employees leave the financial institution
    • Appropriate documentation sent to the administrator, other key employees, and appropriate vendors in a timely manner
  • Antivirus and malware software installed and monitored on all machines
  • Laptops encrypted and stored appropriately
  • Backup tapes/drives logged, tracked, and encrypted
  • Employees only given access to folders and software they need to perform their job duties
  • Employees trained and tested on appropriate procedures
  • Limit access to end points like USB drives
    • At least two of the breaches dealt with employees downloading data to external hard drives and walking out the door with the data

Furthermore, how many of these quotes below could potentially happen to your institution?[2] *Note institution names were removed from quotes*

“unencrypted portable drives was stolen from an employee’s vehicle”

“could not locate a CD containing customer information, including names, dates of birth, and Social Security numbers”

“A former employee took customer information and gave it to accomplices”

“A financial advisor reported that a laptop was missing from his desk… contained sensitive customer data.”

“laptop stolen that contained customer account information, names, and Social Security numbers. Although the data were encrypted it is possible that security access information may also have been stolen with the computer.”

“unauthorized use of their database of clients”

“former employee had accessed customer information on its network”

“former employee stole bank customers’ names, addresses, dates of birth and social security numbers”

“A backup hard drive containing the names, social security numbers and bank account information for 953 customers was stolen”

“former employee had downloaded a report with customer’s personal and financial information before leaving his employment”

“delivered CDs containing personal shareholder information to another financial institution client”

“An employee who worked for 6 weeks stole enough mortgage application information to steal nearly 100 people’s identities”

“a mortgage broker discarded consumers’ personal financial records in a publicly- accessible dumpster”

“A former switchboard operator took customer information and gave it to accomplices who in turn withdrew more than $200,000 from 13 bank customers’ accounts”

“notified some of its 28,000 members that members names, addresses, phone numbers, account numbers and Social Security numbers were compromised when files were not properly moved during an office relocation.”

Performing a risk assessment on your employees may be the first step in resolving this issue.  Define all the risks your employees pose and then define controls and monitoring criteria.  This may be your most comprehensive and detailed risk assessment as you think about each aspect of your employees’ interaction with data and the appropriate controls for each.  The results should be a map or plan of all the changes, additions, and implementations needed to fully secure information.  This may involve some cost in implementing the appropriate controls.  However, if you compare this cost to the potential cost of issuing new checks, debit cards, security monitoring/fraud protection, etc. to all the customers compromised by a rogue employee, the cost might not seem that high.  If you also weigh in the reputation hit and lack of customer trust that would ensue from such an incident, you may not even consider it a “cost” at all.

In conclusion, there are two keys when it comes to breaches.  One key is prevention.  The second key is how your institution responds to a breach.  Lou Holtz once said, “Life is ten percent what happens to you and ninety percent how you respond to it.”  How your institution responds to a breach will determine the level of success experienced in the future.  If you turn a negative into a positive and work proactively and aggressively in protecting your customers, this could trigger a reciprocal reaction in them- that you are concerned for them and their safety, which could build a higher level of trust and loyalty than ever before.

[1] BankInfoSecurity.com posted this list of thirty-three breaches, gathered from the Identity Theft Resource Center (ITRC).

[2] Quotes from BankInfoSecurity.com

Write a Comment