Insider Threat: Tackling it with Technology - Jacob Jegher, Celent
Jegher, based in Montreal, Canada, is a senior analyst within Celent's banking group. His research focuses on emerging technologies and business strategies in retail and wholesale banking. His areas of expertise include online banking (retail, small business, and corporate cash management), social media, IT security, and customer relationship management and strategy. He is the primary author of Celent's annual global IT spending report, as well as the banking CIO survey and model bank report.
Celent is an international research and consulting firm focused on the application of information technology in the global financial services industry.
LINDA McGLASSON: Hello, I'm Linda McGlasson, Managing Editor of www.bankinfosecurity.com and www.cuinfosecurity.com. Today's Information Security Media Group Podcast is with Jacob Jegher, Senior Banking Analyst at Celent, a global financial services industry research and consulting firm. He is the primary author of the company's annual Global IT Spending Report, as well as the Banking CIO Survey Model Bank Report. Welcome Jacob.
JACOB JEGHER: Thank you very much Linda.
McGLASSON: I'll start the questions with the most recent Goldman Sachs ex-employee who is accused of taking proprietary trading codes. Why could this have happened?
JEGHER: There are multiple reasons why we could have an account with this type of breach/fraud case where we have an employee who is accused of stealing the codes.
As far as why it could have happened, it could come down to policies and procedures. I think it is very important for rules to be set and it is another thing for them to be followed. Financial institutions need to protect themselves for when rules are not followed. With that they basically need to make sure they have the right software in place, software that will be able to monitor the activities of employees on internal systems, whether they try to copy information to other sources, move information, access multiple records that they perhaps wouldn't typically do. And of course this all has to be defined by the bank or institution based on business rules that they set up in advance to try to prevent this in a proactive manner instead of being reactive.
I think the other issue is that the risks of trying to steal a trading model are very high. My colleague David Easthope, who also covers the capital markets angle at Celent, has been quoted as saying the potential reward is very high because if you look at investment banks, they have made higher and higher profits from automated trading and that is clearly a driver here. You see the dollar figures attached to these types of transactions; they could basically offer some sort of competitive advantage to another firm or to an individual. It could certainly be quite attractive to a would-be fraudster or someone in dire financial straits.
McGLASSON: What are the lessons other institutions can learn from this case?
JEGHER: I think there are a number of lessons that can be learned. I think the first and foremost is to make sure you have an enterprise-wide fraud management solution in place, a solution that would basically prevent fraud and would react in real time to activities of employees in terms of what they are doing. So what would be a typical example?
Let's say I'm a call center representative, and I tend to access 20 customer records on average during a typical day, and all of the sudden one day I try to access 40, 50 or 60, the system should raise a red flag and perhaps even lock me out of accessing additional records because I have exceeded what would be my typical norm.
In other words, that is not to say that the employee is necessarily doing something fraudulent, but it falls outside of the typical behavioral pattern and that needs to be tracked by the organization to prevent a disaster. It could be that by accessing all of these records the employee would either try to see Social Security numbers, customer records or information that they obviously should be treating as private and confidential.
The lesson really is to make sure that you have the right software in place to monitor and track potentially fraudulent behavior in real time.
McGLASSON: In your latest report, Internal Fraud - Big Brother Needs New Glasses, why do you say that insiders can devastate a bank?
JEGHER: Insiders attack. There are two types of attacks; attacks that come from the inside and attacks that come from the outside. And we tend to hear a lot, particularly in the media, about attacks coming from the outside, whether it is the hackers who are sitting somewhere in Eastern Europe and are just banging away trying to break into some sort of system. In those cases there are numerous knocks on the door but few successful entries. The success rate is quite low.
On the other end, when you are talking about employees, they are already on the inside and when they try to knock on the door, in many cases they are already inside the door and their success rate of actually committing fraud as such is quite high. The potential for devastation is huge because if you think about a financial institution, their most valuable assets are their customers, their information and of course their assets.
If any of those are put at risk, the financial institution could have a tarnished reputation and obviously be dragged through the mud in the media, and most importantly have customers loose trust and confidence in their financial institution, which can obviously lead to attrition, defection and they could see loss of revenues from profits.
McGLASSON: So how shocking are those numbers and how serious is the insider threat?
JEGHER: By those numbers I am assuming you are referring to the 60 percent that I mentioned earlier. Insider fraud accounts for approximately 60 percent of the bank fraud cases where either a data breach or theft of funds has occurred.
The numbers are very shocking and it is a very serious threat. I don't think when you talk to chief information security officers at financial institutions they would be shocked by this number; they are well aware of it. I think folks in the public and perhaps even in other industries would look at this number and say that is a shocking figure.
It is a very serious threat and I do think that banks are aware of it, financial institutions are aware of it and they are taking actions in terms of trying to implement some of these solutions that I mentioned earlier.
McGLASSON: When internal fraud hits Jacob, does it extend beyond the bank?
JEGHER: Absolutely. That is one of the reasons this is often referred to as insider fraud and not just internal fraud. An insider is technically an employee, or an insider meaning someone who has the relationship to them. It could be the spouse of an employee, a friend of the employee.
In many cases where there are incidents of fraud that are being committed, they find that accounts have been opened by the employee's girlfriend or boyfriend who has a different last name and it is important to create some sort of linkage between the activity taking place between the employee's account and the spouse's account.
It's important to understand the tracking activity of what money is moving between accounts and where that flow is actually going, because quite often there is someone on the outside of the bank who is in collaboration with the employee. So yes, it certainly can extend beyond the bank.
McGLASSON: I heard you mention earlier, how important do you think policies and procedure are when it comes to thwarting this threat?
JEGHER: They are critical, but again, obviously they have to be followed. To use this case as an example, you know many of the articles and information I have read about it have said that this employee had copied information to a personal computer because he was working on it at home. If you think about policies and procedures, that is a great example of what I consider to be a cardinal sin when you work for a financial institution.
If you are dealing with any information that is sensitive, or even non-sensitive, the rule is work information and work data stays on a work computer. I recall one case where there was a woman who worked at a bank who had transferred some files that contained Social Security numbers to her personal computer. And one of her children, who used a P2P file sharing site to download music had software for that installed on the same computer. Someone actually broke into that machine and stole that bank employee's files that she had copied over and they got a hold of the Social Security numbers of bank clients. I think that is a perfect example of policies and procedures.
It is important for work to stay at work. You can take it home but take it home on a work computer. The minute it leaves the bank or financial institution things can get hairy and that is because there are policies used and technology tools in place, whether it's antivirus or monitoring software, and from a compliance requirement, to make sure that what you do at work is work-related and stays within the boundaries of that.
McGLASSON: Jacob, what are your thoughts on the use and display of Social Security numbers?
JEGHER: Often people are identified by their Social Security number and there has been some talk regarding legislation about removing that and making SSN's not even an option now. Although I don't think that is realistic, I do think that there is a case at any company that it does take into account Social Security numbers being displayed on a need-to-know basis.
If I am a junior call center employee, and I have a customer who calls in and I ask them for the last two digits of their Social Security number, perhaps I only see those last two digits because I am a call center employee. I can't actually see the entire Social Security number. In many cases, in fact with most cases, I would say that everyone from junior call center representatives to whoever has access to these systems can see the full Social Security numbers of customers and I don't think there is any place for that in today's world, given that there is a potential for fraud and there is a market for customer records and identities.
Banks have to revisit the use of Social Security numbers; obviously they are not going to abolish them from their systems, which would be quite absurd at this point given how far along they are with the customer records. It is just a question of who is able to see them and why.
McGLASSON: What about personal digital storage, yes or no?
JEGHER: Personal digital storage can refer to multiple things. It could be a USB key, a memory key that an employee carries around; it could be a mobile phone that contains memory. My iPhone has 16 gigs on it and technically it is nothing more than flash memory that I can copy things to. Personal digital storage can also be a digital camera that takes pictures.
I hear all kinds of things from banks saying they want to ban any form of personal digital storage in the workplace. I don't think that is realistic. I think people are going to have their mobile phones that have camera storage and their iPods and iPhones and what have you. You can't quit get rid of those, particularly as technology evolves and as the use of mobile devices evolves.
However, back to the whole idea of policies and procedures, it is important to set an example and rules, polices in terms of what is acceptable use at the workplace for these devices. Can you listen to your iPod? Sure. Can you start snapping pictures of customer records that are displayed on the screen? Obviously not. So again, it comes back to policies and procedures.
McGLASSON: Jacob how would you suggest financial institutions go about creating a sound and timely notification process?
JEGHER: This would relate to a data breach and when a breach does happen. I would say a lot of financial institutions, if you look at past cases, are guilty of waiting too long to tell affected customers. In many cases it is months. That is certainly a problematic issue because if a customer is affected by a data breach of their information, they need to know. Obviously their identity could be stolen and folks could start taking out loans under their name and applying for credit cards. This has to be done in a timely manner.
I don't think the majority of financial institutions are well prepared for that. Either that or when a breach does happen they are just simply not sure of the extent of the breach.
The first thing is to be able to speed up this discovery process of how serious the breach is. The second comes to a PR and communications perspective of being able to have a marketing team create a plan concerning a breach and how they are going to handle it. What is my target time to contact customers? How am I going to contact customers? What channels am I going to use? What compensation am I going to offer them based on the severity of the breach? How am I going to communicate that to them? Will we offer them identity theft protection services? If so, for how long will we offer it? All these things need to be outlined in advance, not scrambling to figure this out because we just had a breach. Notification is critical.
McGLASSON: Jacob what about awareness training for employees? Is it important?
JEGHER: Absolutely. When you talk about security, one of the most critical components is training and we talked about all these different policies and procedures, but they are useless if employees aren't aware or reminded of them. It is important to have training, ongoing training, and refresher training to remind them about it. This would apply to new employees who enter the firm and are perhaps not too familiar with the policies and procedures that are in place, and it would also apply to existing employees who need to be reminded.
The other issue, as I mentioned earlier, is technology evolves and as new devices come out, new trends occur within the industry and for consumers. I think it is important to update the policies and procedures as well as the training to red flag them and communicate these in an efficient manner to employees. Training cane take many forms. It can be on site, in person, it can also be web-based. There are many ways of approaching that and they are all critical.
McGLASSON: Do you see technology playing a role in stopping internal fraud?
JEGHER: Absolutely. I think that technology plays a critical role in preventing internal fraud and catching it in a proactive manner. And as I mentioned earlier, it is really all about having an enterprise-wide fraud management solution that will look across channels, look at different types of reporting activities, that is customized based on defined business rules, that works in real time, that has a dashboard that the administrator can easily access and view reporting on, and that has an alerting system that can alert those within the bank who need to know about a potential breach or risk as quickly as possible. So absolutely, technology plays a critical requirement.
McGLASSON: Jacob, thank you so much for your excellent insights today.
JEGHER: It is my pleasure. Thank you.
McGLASSON: Until later, I'm Linda McGlasson for Information Security Media Group.