Commerce Bancorp Aftermath

According to one industry expert, the insider threat is one that all financial institutions are aware of – but too few provide adequate protection. “If you go into the average financial institution now, and you track its security budget and map it -- around 80 percent of the budget is spent on external attack security and only 20 percent is spent, if that, on mitigating insider threats,” says noted information security expert Dr. Eric Cole.

See Also: Omni-Channel Authentication: A Unified Approach to a Multi-Authenticator World

One problem: External attacks are easier to spot. “When a worm or virus hits your network, you immediately know it, or can pinpoint when and where it started,” Cole says. “But in the case of an insider attack, you don’t always know when it started, or what damage has been inflicted, until you investigate and track it.”

Most institutions have focused primarily on external threats and are doing a good job at stopping them, he says, so it’s time to shift resources toward fighting the insider threat. Otherwise, Cole warns, “At least in the near future, we’re going to see so many insider attacks.”

In this most recent case, Commerce said in a statement that only a small segment of the company's 3 million customers were impacted, but did not specify how many. Bank officials have notified federal and state law enforcement agencies. "Fortunately, only a small segment of our nearly 3 million customers were impacted,” the statement reads. “We have taken immediate actions, including an extensive internal investigation by Commerce Bank's Corporate Security team and notification to federal and state law enforcement officials.”

One step financial institutions can take immediately is to review their hiring practices to determine if the criteria is missing some indications of potential problems.

“I’ve always been a strong believer that the past is a great indicator of the future, so if someone has worked for several institutions over a short period of time, that should be something to look at,” Cole says. “There is a training curve, and if someone has only been at a position for six months, the investment alone to hire that person would be questionable.”

Another area to look at: Vacation policies. While many institutions once required their staff to take their vacation time in two-week periods, the increased need for manpower at many institutions have dropped the mandatory two-week vacations in key positions down to seven days. “The reasoning behind the two-week vacation periods was if there was something going on, it would usually be uncovered during that person’s time away,” Cole says. “The institutions that are only requiring staff to take one week are lowering the bar, making it easier for perpetrators to cover their tracks.”

Cole also sees much less tracking of the separation of duties. “I’m seeing less diligence at the institutions I visit of making sure that the same people don’t work together all the time, breaking up shifts and shift rotation.” This lack of due diligence, he says, makes it easier for the insider, if they are doing something, to cover their tracks.

Bonnie Kramer, Chief Operating Officer at the Financial Service Centers Cooperative (FSCC), in San Dimas, CA, says institutions need to protect information through better background checks and awareness training for new hires.

“There needs to be shared information between institutions, but because of privacy issues, there isn’t,” says Kramer, whose 300 credit unions have an average asset size of $445 million and represent 12 million members. “Therefore, training for the new employee is essential to let them know what is expected of them.”

Kramer has her own story of identity theft, as one of FSCC’s credit unions uncovered identity theft that was traced back to an internal source.

“We saw that it looked like there was a lot of internal fraud going on,” she says. “We then implemented encryption and brought a monitoring tool on board to protect data and transactions.” The combination of encryption and monitoring effectively stopped the internal fraud, Kramer notes.

She says any personally identifiable information held electronically on databases is now encrypted. Encryption is one action that FSCC recommends to its credit unions, Kramer adds.

Kramer compares a financial institution’s networks to a pair of red long johns. “Everything is buttoned up in the front, with firewalls and an IDS and the network is protected from outsiders, but what about the back end,” she says. “Is the back flap buttoned up so nothing leaks out of your organization? If more institutions were using monitoring tools, they wouldn’t be suffering as many data breaches as they already have. I like the idea that we’re ahead of the curve.”