Westford, MA (PRWEB) June 22, 2006
More than 8.9 million Americans were the victims of identity theft last year and according to a Federal Trade Commission survey conducted in 2003, customer data theft cost U.S. business and financial institutions nearly $48 billion. In addition, According to more than 8,200 IT security professionals from 62 countries, polled in a worldwide study by CIO Magazine and PricewaterhouseCoopers, companies experienced an average of 824 security incidents or events over the past 12 months with the majority of these events being the result of malicious code or unauthorized entry to information assets.
However, it’s not attacks from outside hackers that are the biggest technology security concerns for organizations today. Instead, there has been an increasing number of identity theft cases in which the hacker is actually a company employee–an enemy from within. According to the same CIO/PricewaterhouseCoopers survey, the number of employee-related attacks is up, at 33 percent compared with 2004's 28 percent. Former employees remain a likely source of the security threats, representing 20 percent of events. In fact, the Yankee Group estimates that 50 percent of security problems in 2004 originated from internal sources, up from 30 percent in 2003. It takes less than five minutes for such employees, particularly those in the contact center who have proper access to customer data, to steal someone’s identity.
This scenario has played out several times in recent months with some of the world’s largest financial institutions falling victim to internal hackers. But this new epidemic isn’t limited to just financial institutions – every business that has a database of customer information needs to be vigilant against such attacks. For disgruntled employees and those who may not be happy with their companies’ policies and compensation practices, the idea of profiting by selling easily accessible customer information can be tempting.
Levels of Security
So how do companies protect their important customer data? While no system is 100 percent reliable, there are five layers of protection or “defensive walls,” as recommended by the SANS Institute (http://www.sans.org/whatworks/) that proactive businesses can implement to ensure the optimum level of data security.
The first three defensive walls revolve around the company’s information technology (IT) systems and architectures.
Defensive Wall 1 is a network-based, external-facing layer, designed to block attacks from outside hackers. Using firewalls, managed security services, and instruction detection software, institutions can safeguard such Web transactions as electronic bill payments. This is the only layer visible to the general public.
Defensive Wall 2 is designed to block attacks at the host-based level. This layer uses personal firewalls, spyware removal and quarantine software to protect the internal systems and devices, such as PCs servers and workstations.
Defensive Wall 3 eliminates security vulnerabilities. Sitting on the internal systems, this layer protects against vulnerabilities a hacker could exploit to capture customer credit information. It requires configuration management, application security testing, vulnerability management, and penetration testing. A crucial responsibility of companies that wish to comply with this layer is the constant scanning of all internal systems and applications to provide IT with a listing of potential vulnerabilities that could be exploited.
It is within Defensive Wall 4–the people layer–where the enemy within can get a stronghold. In this layer, focused on safely supporting authorized users, all systems are typically firewalled and guarded as entities unto themselves. This is where companies define who has access to what databases and systems.
For example, in the contact center, this could mean that an agent handling billing inquiries would have access to customer billing history or account information, while an agent in customer service will only have access to limited customer information, such name, address and service type. While in theory that may stop a customer service representative from stealing identity information found in the billing or account database, it does not stop that individual from tapping into the identity information stored in his or her approved customer database. Simply put, even this innermost layer cannot protect against people who have been granted access to a particular server from stealing that customer information for profit. But by segmenting the information in different databases and limiting who has access to that information could help prevent an enemy from within stealing the full array of customer details.
A crucial element of this layer is the encryption of data and files. But securing the data is not enough. At level 4, discretionary access control is also implemented to ensure that users only have access to the specific applications, databases, and various system objects for which they have been approved.
The last layer, Defensive Wall 5, consists of tools companies can use to minimize business losses and maximize effectiveness. With this layer, organizations should have some level of regulatory compliance and forensics tools in their security portfolio, as well as an established disaster recovery plan and redundancy systems in place.
Tools providing audit tracking, which help quickly identify when an attack or security breach occurs and what exactly was compromised, are extremely important for catching hackers, in addition to developing future protection plans. These tools also provide reporting data specific to the level of compliance for various government regulations, such as Graham-Leach-Bliley, HIPAA, Sarbanes Oxley, and FISMA.
Defense Against the Enemy Within
Because there is currently no technology that can guarantee against data theft at the hands of enemies from within, what can companies do to reduce the likelihood of identity theft from within their organizations?
To determine the best course of action, start by asking these questions:
1. How are background checks conducted of contact center agents? Are references contacted and names checked against criminal databases?
2. What level of defense is needed?
3. Are laptops used and, if so, what type of information is stored on them? If an employee loses his laptop, what security features have been built in so that no one else can access the confidential information?
4. Do contact center employees sign affidavits saying they will not access customer information for personal use?
5. What system is in place for disabling network access when employees are terminated? What formal processes are in place for handling employee grievances and monitoring employee satisfaction?
6. Is there a list of all contact center employees who have access to sensitive information? How often is the list updated? How often should security checks be conducted?
7. How are passwords set up? What level of encryption is used?
8. Should you check employee belongings when they leave the building?
9. Do you outsource any transactions? If so, how are vendors screened? Can they provide background checks for employees accessing your systems? Do they comply with industry standards for authentication? Do they have any vulnerabilities that match the FBI lists of the Top 20 systems issues?
Following the layered approach and adhering to guidelines like those listed above will help to keep the enemy from within at bay.
Author: Chris Lawrence
Chris Lawrence is principal product manager at Aspect Software. For more information visit http://www.aspect.com.