Commerce Bancorp AftermathInvestigation Turns Spotlight on Insider Threat
According to one industry expert, the insider threat is one that all financial institutions are aware of â€“ but too few provide adequate protection. â€œIf you go into the average financial institution now, and you track its security budget and map it -- around 80 percent of the budget is spent on external attack security and only 20 percent is spent, if that, on mitigating insider threats,â€ says noted information security expert Dr. Eric Cole.
One problem: External attacks are easier to spot. â€œWhen a worm or virus hits your network, you immediately know it, or can pinpoint when and where it started,â€ Cole says. â€œBut in the case of an insider attack, you donâ€™t always know when it started, or what damage has been inflicted, until you investigate and track it.â€
Most institutions have focused primarily on external threats and are doing a good job at stopping them, he says, so itâ€™s time to shift resources toward fighting the insider threat. Otherwise, Cole warns, â€œAt least in the near future, weâ€™re going to see so many insider attacks.â€
In this most recent case, Commerce said in a statement that only a small segment of the company's 3 million customers were impacted, but did not specify how many. Bank officials have notified federal and state law enforcement agencies. "Fortunately, only a small segment of our nearly 3 million customers were impacted,â€ the statement reads. â€œWe have taken immediate actions, including an extensive internal investigation by Commerce Bank's Corporate Security team and notification to federal and state law enforcement officials.â€What You Can Do: Review Staffing Practices
One step financial institutions can take immediately is to review their hiring practices to determine if the criteria is missing some indications of potential problems.
â€œIâ€™ve always been a strong believer that the past is a great indicator of the future, so if someone has worked for several institutions over a short period of time, that should be something to look at,â€ Cole says. â€œThere is a training curve, and if someone has only been at a position for six months, the investment alone to hire that person would be questionable.â€
Another area to look at: Vacation policies. While many institutions once required their staff to take their vacation time in two-week periods, the increased need for manpower at many institutions have dropped the mandatory two-week vacations in key positions down to seven days. â€œThe reasoning behind the two-week vacation periods was if there was something going on, it would usually be uncovered during that personâ€™s time away,â€ Cole says. â€œThe institutions that are only requiring staff to take one week are lowering the bar, making it easier for perpetrators to cover their tracks.â€
Cole also sees much less tracking of the separation of duties. â€œIâ€™m seeing less diligence at the institutions I visit of making sure that the same people donâ€™t work together all the time, breaking up shifts and shift rotation.â€ This lack of due diligence, he says, makes it easier for the insider, if they are doing something, to cover their tracks.Better Background Checks, Training Needed
Bonnie Kramer, Chief Operating Officer at the Financial Service Centers Cooperative (FSCC), in San Dimas, CA, says institutions need to protect information through better background checks and awareness training for new hires.
â€œThere needs to be shared information between institutions, but because of privacy issues, there isnâ€™t,â€ says Kramer, whose 300 credit unions have an average asset size of $445 million and represent 12 million members. â€œTherefore, training for the new employee is essential to let them know what is expected of them.â€
Kramer has her own story of identity theft, as one of FSCCâ€™s credit unions uncovered identity theft that was traced back to an internal source.
â€œWe saw that it looked like there was a lot of internal fraud going on,â€ she says. â€œWe then implemented encryption and brought a monitoring tool on board to protect data and transactions.â€ The combination of encryption and monitoring effectively stopped the internal fraud, Kramer notes.
She says any personally identifiable information held electronically on databases is now encrypted. Encryption is one action that FSCC recommends to its credit unions, Kramer adds.
Kramer compares a financial institutionâ€™s networks to a pair of red long johns. â€œEverything is buttoned up in the front, with firewalls and an IDS and the network is protected from outsiders, but what about the back end,â€ she says. â€œIs the back flap buttoned up so nothing leaks out of your organization? If more institutions were using monitoring tools, they wouldnâ€™t be suffering as many data breaches as they already have. I like the idea that weâ€™re ahead of the curve.â€