Commerce Bancorp Aftermath

Investigation Turns Spotlight on Insider Threat
Commerce Bancorp Aftermath
Last weekâs announcement by NJ-based Commerce Bancorp that one of its employees may have released customer information (See story: Bank Warns of Identity Fraud Investigation) swings the security spotlight back to information securityâs dirty little secret: the insider threat.

According to one industry expert, the insider threat is one that all financial institutions are aware of â" but too few provide adequate protection. â-If you go into the average financial institution now, and you track its security budget and map it -- around 80 percent of the budget is spent on external attack security and only 20 percent is spent, if that, on mitigating insider threats,â" says noted information security expert Dr. Eric Cole.

See Also: How to Scale Your Vendor Risk Management Program

One problem: External attacks are easier to spot. â-When a worm or virus hits your network, you immediately know it, or can pinpoint when and where it started,â" Cole says. â-But in the case of an insider attack, you donât always know when it started, or what damage has been inflicted, until you investigate and track it.â"

Most institutions have focused primarily on external threats and are doing a good job at stopping them, he says, so itâs time to shift resources toward fighting the insider threat. Otherwise, Cole warns, â-At least in the near future, weâre going to see so many insider attacks.â"

In this most recent case, Commerce said in a statement that only a small segment of the company's 3 million customers were impacted, but did not specify how many. Bank officials have notified federal and state law enforcement agencies. "Fortunately, only a small segment of our nearly 3 million customers were impacted,â" the statement reads. â-We have taken immediate actions, including an extensive internal investigation by Commerce Bank's Corporate Security team and notification to federal and state law enforcement officials.â"

What You Can Do: Review Staffing Practices

One step financial institutions can take immediately is to review their hiring practices to determine if the criteria is missing some indications of potential problems.

â-Iâve always been a strong believer that the past is a great indicator of the future, so if someone has worked for several institutions over a short period of time, that should be something to look at,â" Cole says. â-There is a training curve, and if someone has only been at a position for six months, the investment alone to hire that person would be questionable.â"

Another area to look at: Vacation policies. While many institutions once required their staff to take their vacation time in two-week periods, the increased need for manpower at many institutions have dropped the mandatory two-week vacations in key positions down to seven days. â-The reasoning behind the two-week vacation periods was if there was something going on, it would usually be uncovered during that personâs time away,â" Cole says. â-The institutions that are only requiring staff to take one week are lowering the bar, making it easier for perpetrators to cover their tracks.â"

Cole also sees much less tracking of the separation of duties. â-Iâm seeing less diligence at the institutions I visit of making sure that the same people donât work together all the time, breaking up shifts and shift rotation.â" This lack of due diligence, he says, makes it easier for the insider, if they are doing something, to cover their tracks.

Better Background Checks, Training Needed

Bonnie Kramer, Chief Operating Officer at the Financial Service Centers Cooperative (FSCC), in San Dimas, CA, says institutions need to protect information through better background checks and awareness training for new hires.

â-There needs to be shared information between institutions, but because of privacy issues, there isnât,â" says Kramer, whose 300 credit unions have an average asset size of $445 million and represent 12 million members. â-Therefore, training for the new employee is essential to let them know what is expected of them.â"

Kramer has her own story of identity theft, as one of FSCCâs credit unions uncovered identity theft that was traced back to an internal source.

â-We saw that it looked like there was a lot of internal fraud going on,â" she says. â-We then implemented encryption and brought a monitoring tool on board to protect data and transactions.â" The combination of encryption and monitoring effectively stopped the internal fraud, Kramer notes.

She says any personally identifiable information held electronically on databases is now encrypted. Encryption is one action that FSCC recommends to its credit unions, Kramer adds.

Kramer compares a financial institutionâs networks to a pair of red long johns. â-Everything is buttoned up in the front, with firewalls and an IDS and the network is protected from outsiders, but what about the back end,â" she says. â-Is the back flap buttoned up so nothing leaks out of your organization? If more institutions were using monitoring tools, they wouldnât be suffering as many data breaches as they already have. I like the idea that weâre ahead of the curve.â"

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network