The "RISKY BUSINESS" Blog

I found a recent report by Actimize to be reamrkably compelling. According to their research 72% of financial institutions have experienced a case of data theft by an employee in the last 12 months.

Interestingly, it's not the expected class of employees (e.g., outsourced/temporary) that is the greatest risk. The research shows that the insider fraud threat actually breaks down as follows:

• 70% full-time employees,
• 10% part-time employees,
• 8% outsourced workers,
• 6% temporary workers, and
• 6% offshore employees.

The challenge is that limiting user access to sensitive data is not a viable strategy in the banking arena. Branch managers, customer service representatives, call center workers, loan officers, tellers, et al, need access to view and change critical data to perform their everyday job functions. Traditional segregation of duty control mechanisms is also very challenging to implement while at the same time maintaining the high level of customer service that the industry demands. So what's the answer?

I think there are two inter-related Information Security approaches:

• Improving Human Resources practices (both prior to and during employment) to identify those individuals that are most likely to succumb to two of the three leading causes of fraud (financial distress & job dissatisfaction).  New and recurrent background check services are a great way to address this.
• Proactively monitor employee access to critical processes (e.g., address changes) on critical systems.

Neither approach is all that sexy, but both are not only great deterrents but also very good detective controls.

__________________________________________________

Link to the original Actimize article:
http://www.actimize.com/index.aspx?page=news216