It must have made bank security officers everywhere cringe when it was reported that Edward Snowden, the NSA leaker, convinced about two dozen fellow agency employees to provide him their login credentials.
As Brian Feldman, writing for The Atlantic, points out, “A support worker asking for a user’s login credentials is actually a huge security red flag.” Furthermore, Feldman says, Google, Microsoft, Apple, Yahoo!, Facebook, and AOL—technology giants that NSA allegedly has back door entry into—all state clearly in their security pages, in one wording or another: Never share your password with anyone.
It seems the NSA episode has had repercussions in the corporate security world. “Attitudes and protection plans are changing, with 45% of organizations reporting that Edward Snowden has caused them to be more aware of insider threats and over half, 53%, are increasing their security budgets to offset the problem in the next year,” says a survey report from Vormetric.
However, that’s about the only comfort to be derived from Vormetric’s survey of 700 IT security executives. Chief among its findings is that only 27% of those surveyed block privileged user access to data—a proven method of mitigating insider attacks—while 66% use perimeter-focused network intrusion detection and prevention tools to deal with insider threats—even though those are not designed for such use.
KPMG International recently looked into what the profile of an insider threat looks like. While tough to generalize, it found these characteristics of the typical insider swindler: 36-45 years old, employed in a finance, operations, or sales/marketing function, holds a managerial or executive position, has been employed in the organization more than six years, and has a heretofore clean record. In 70% of frauds, the perpetrator colludes with others in the organization.
“The prediction of a crime before it occurs is, at least for now, the subject of science fiction. But an analysis of the constantly changing nature of fraud and the fraudster can help organizations stiffen their defenses against these criminal activities. Forewarned is forearmed,” says Déan Friedman, a leader of KPMG’s Investigations Network.
In addition to insider threats, customers also can pose fraud threats. A recent Aite report’s title puts it perhaps too bluntly—“Global Fraud and Clueless Customers”—although the authors stress the need for customer education by financial institutions
“Consumer education regarding fraud appears to be severely lacking in many countries, leading to consumers who don’t understand payment systems, fraud, or how to best protect themselves against becoming fraud victims…Understanding consumers’ concerns, experiences, and resulting behaviors is therefore essential for financial institutions that desire to educate and retain clients and maximize payments revenue,” Aite’s report says.
The intersection of social, mobile, cloud, and information technologies—what Gartner calls the “Nexus of Forces”—brings with it a transformation of information security approaches. “Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made,” Gartner says in a recent report.
Which brings up the good-guy human element in this equation. IBM looked at the evolving role of corporate security officers and their relationship to overall business decisions, budgets, and strategies.
“The findings reveal that a constantly evolving threat landscape, emerging technologies, and budgetary restraints are requiring security leaders to play a more active role in communicating with C-suite leaders and with their boards, as the rise in security incidents impacts brand reputation and customer trust,” IBM’s report summary says.
The top trends that security leaders tend to discuss with upper management include identifying and assessing risks (59%), resolving budget issues and requests (49%), and new technology deployments (44%).
So it takes good-guy human beings to be taken seriously as they consider advanced technology to counter the bad-guy human beings who also are using advanced technology.
“The megatrends of consumerization, mobility, social, and cloud computing are radically transforming the relationship between IT, the business, and individual users. Organizations are recognizing and responding to the need to move from control-centric security to people-centric security,” says Tom Scholtz, vice president and Gartner fellow.
Bank security vendors, as to be expected, are responding to this sentiment. Here are just a few announcements along these lines that have appeared in the past few weeks:
- FICO introduced a proximity correlation service for credit and debit card issuers that compares the physical location of a cardholder’s registered mobile phone against the location of the ATM or point-of-sale terminal, in order to detect anomalies.
“Banks are trying to perfect a tricky balancing act—protect customers without causing undue frustration for cardholders,” says Gabriel Hopkins, senior director, Product Management, FICO.
- Guardian Analytics unveiled a real-time collaboration platform and fraud intelligence community for financial institutions to securely exchange actionable information and improve prevention practices. It allows banks to pool their experiences and expertise to defend against continually evolving attacks and fraud schemes.
- Novetta Solutions and Teradata partnered to deliver advanced solutions for increased visibility into network behavior analytics. Their approach is meant to defeat adversaries attempting to attack a network by using big data analytics, again, by identifying anomalous activity, network infection, and insider-threat compromises.
- IBM—of course—is very much into this area. It’s latest announcement is about a newly-patented technique to protect sensitive data prior to transmitting it to the cloud.
KPMG’s look at the prototypical insider threat concludes with two observations. One is that weak internal controls provide opportunities for embezzlers and others to commit their crimes. On the other hand, even strong internal controls won’t deter someone who just doesn’t care. So, in addition to old-fashioned people-based policies, procedures, and monitoring, advanced technology also is required.
“Companies can’t stand still and allow yesterday’s controls to address today’s or tomorrow’s fraudster,” says KPMG’s Friedman. “Technology not only enables the fraudster, but also enables the organization to defend itself. Newer approaches like data analytics and data mining give the company a much better chance of catching the fraudster.”