Greed Most Common Reason for Insider Crimes in Financial Services

WASHINGTON – A new study of insider incidents at financial services providers by the Secret Service National Threat Assessment Center (NTAC) and the CERT Coordination Center of Carnegie Mellon University’s Software Engineering Institute (CERT/CC) found that most insider criminal activity requires minimal technical know-how, is planned out, and is fostered by greed. The introduction to the study begins with an example of two credit union employees who were authorized to update credit reports, but, in the fall of 1996, began doing so for money. Fraud losses from their activities exceeded $215,000, according to the report. “The risk exposure to the credit union was incalculable,” the Insider Threat Study stated. Internal attacks at companies are difficult to estimate for a variety of reasons and some feel they are under-reported to law enforcement. It is possible companies fear the negative publicity or increased liability as a result of the incidents or they may determine the activity was not enough to warrant criminal charges. The study made several findings among the incidents of insider crimes involving fraud, theft of intellectual property and sabotage in the financial services industry it studied between 1996 and 2002. Most incidents required little technical savvy. Of the incidents studied, 87% used legitimate user commands and 70% of the cases involved exploitation or attempted exploitation of vulnerabilities. More than three-quarters (78%) were authorized users with active accounts at the time and 43% used their own username and password to perpetrate the crime. The study suggests that financial organizations secure their networks from all users and follow through on policies and procedures. One credit union insider was terminated and his account disabled, but because his remote access was not disabled, he was able to sabotage the system, keeping it out of commission for three days. A full 81% of the cases were planned in advance and, 85% of the time, others from co-workers to friends to family members had full or partial knowledge of what was going on. Because these incidents are planned, some future scenarios may be prevented or detected earlier on, the study said. The report also recommended having one central place to report suspicious activity. Because many of the insiders did not consider the consequences of their actions, organizations should increase awareness of their ability to monitor activities and the possibility of prosecution or civil suit. The majority of insiders were motivated by financial gain, while others sought revenge or respect or felt “dissatisfied with company management, culture or policies.” Eighty-one percent were after financial gain with 27% in financial straights when they committed the crime. The fourth finding was that the insiders fit no common profile: they ranged from 18 to 59 years of age; 42% were female; 54% were single; and they came from a variety of ethnic backgrounds. Very few (15%) were even considered troublesome employees. The report pointed out, “Management must be aware that common perceptions about who is likely to be an insider threat may be inaccurate.” It added that background checks are important considering more than a quarter of the insiders had a prior criminal record. These incidents were uncovered by various methods and personnel. Non-security personnel or customers in the bulk of the instances (61%) discovered the inside jobs. The split between customer, security and non-security personnel was roughly one-third each, so, the study concluded that it is important that all employees are responsible for security awareness. Additionally, 61% of the cases were detected by non-automated procedures. Nearly all (91%) of the victim organizations suffered financial losses, which ranged from $168 to nearly $700 million. Thirty percent of the cases cause financial losses of more than half a million. This type of activity can also damage a company’s reputation, the study noted. Most of these acts were committed right under the company’s nose, while the employees were still on the job at the workplace during normal operating hours. The majority (83%) of the cases took place physically within the company, while 70% were during normal business hours. In conclusion, the Insider Threat Study suggested, “The insider threat activity examined in the banking and finance sector appears to involve an interaction among organizational culture, business practices, policies, and technology, as well as the insiders’ motivations and external influences. Reducing the risk of these attacks requires organizations to look beyond their information technology and security to their overall business processes.” [email protected]