Employees placed in banks and insurance companies by criminal gangs

(03/10/2008)

Peter Wood, Member of the ISACA Conference Committee and founder of First Base Technologies, has revealed the ease with which criminals are able to steal data and gives 3 critical steps organisations can take to block them.

Wood explains how he and a colleague walked unchallenged into an insurance company and were able to steal all their data as part of a security exercise. And he is not the only one to get away with stealing data; very often companies unwittingly hire people whose sole purpose is to steal data.

Wood goes on to explain “some people in the banking community have quietly and anonymously said to me over the last year that they have found employees who have been placed in their company by criminal gangs and they have been operating as moles over that period.”

Companies also make the mistake of storing sensitive and confidential data in one place which makes it very easy for criminals to steal data.

Wood says, “intellectual property or large credit card data bases are probably the primary targets and someone told me, a Japanese company in fact, that they could store all their key data, all their intellectual property and the stuff that really differentiates them on a thumb drive, as a result one hit there is more than adequate to give the criminal what they want.”

“The physical attack is sometimes the easiest and probably the way of the future for a lot of criminal gangs”, however according to Wood “you don’t have to be onsite, remote control attacks through email phishing, spear phishing, emailattached Trojans or even web drive-by attacks are increasing in popularity and someone receiving an email that directs them to a site that appears innocent and then quickly installs something on their PC is just as vulnerable”

Wood believes that people are critically important in preventing these attacks. He says “If people are given some baseline education as to how to look for criminal activity then they can be the greatest asset any organization could possibly deploy”.

He adds, “I think there is a huge gulf between the technical controls that firms put in place and the human and HR control and the physical premises control. There is little or no communication between the three areas and it’s through those gaps that criminals can walk unchallenged”.

However there is a light at the end of this very dark and dangerous tunnel of information security breaches. According to Peter Wood there are three critical steps an organization could take to protect themselves.
• Good quality vetting of staff and third parties
• An awareness campaign that is intelligently designed and has a strong focus to encourage and inform people
• Conducting regular meetings with HR, physical security, IT security and the business to provide a holistic defence against an attack.

Related topics:  Authentication and identity management   Data management and data security   Encryption   Hacking and intrusion prevention   Network Security   Security management and policies   Security threats and vulnerabilities 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources