Cyber-Defenses Never Enough

I don’t mean to single out London here. Last year Wachovia, Bank of America, PNC Financial Services Group, and Commerce Bancorp were all the victims of a crime ring in New Jersey where bank employees and, in one case, a state employee were bribed into giving up account records. They would print out specific accounts that were later sold to collection agencies and law firms that were targeting people for past due payments. The price paid by the ring leader was ten dollars per account. According to reports at the time he reaped millions on the re-sale of over 500,000 accounts.

What to do?

Look at the other forms of insider defense organizations have already deployed in situations where trust alone fails. In particular, look at cash handling.

At a Starbucks each associate swipes an ID card in the point of sale terminal every time they handle cash. At a bank, where the sums are greater, there are surveillance cameras looking over the shoulder of every teller. No, those are not to catch armed robbers on camera, those are meant to ensure the good behavior of the tellers.

How do these defenses translate to information handling such as account records? First of all, require better authentication to access information. In this way, everyone knows there is a log of all the information they access. If it ends up stolen they could be suspect.

This ensures better behavior. Activity monitoring is another way to alert on suspicious behavior. If someone is accessing more than the usual number of records, alarms will be set off and their actions can be investigated.

Background checks on temporary personnel should focus on establishing their true identities. You should have a process in place for checking those identities for all contract personnel including cleaning staff, security guards, and clerical staff. They should sign in every day and sign out. Security guards should not have access to the equipment that controls security cameras or to the back up video data.

Finally, there are several technologies that could be employed to reduce the risk of data loss. Leak prevention solutions classify data and monitor the networks to make sure it does not leave the premises. Device management solutions can monitor and control the use of USB devices such as thumb drives or MP3 players.

Thanks to the rise in value and the creation of a market for identities and other information it has become necessary to look beyond typical cyber-defenses. Infiltration, the invasion of your organization by individuals targeting your information, needs to be countered. But, most importantly, the cost to the attackers must be raised in order to reduce the likelihood of attack.

Richard Stiennon is the former vice president of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner’s Thought Leadership award for 2003 and was named “One of the 50 Most Powerful People in Networking” by Network World Magazine.