Chris Lawrence, Aspect Software
Last year, more than 9.9 million Americans fell victim to identity theft. The cost to U.S. businesses and financial institutions was nearly $48 billion, according to a Federal Trade Commission survey conducted in 2003. But it is not always outside hackers who pose the biggest technology security concerns for organizations today. In an increasing number of identity theft cases, the thief is a company employee-the enemy from within.
For disgruntled employees or those unsatisfied with their companies’ policies and compensation practices, the idea of profiting by selling easily accessible customer information can be tempting. In fact, the Yankee Group estimates that 50 percent of security problems in 2004 originated from internal sources, up from 30 percent in 2003-not surprising, considering it takes less than five minutes for employees with access to customer data, such as tellers and account managers, to steal someone’s identity.
In recent months some of the world’s largest financial institutions have fallen victim to internal hackers. In those cases, criminal charges have been filed against nine people so far, including seven former bank employees. But this new epidemic isn’t limited to financial institutions. Every business that has a database of customer information needs to be vigilant against such attacks, and that includes electric and gas utilities.
levels of security
How can utility companies protect their important customer data? While no system is 100 percent reliable, there are layers of protection or “defensive walls” that proactive financial institutions can implement to ensure an optimum level of data security.
The SANS Institute, an information security training and certification organization, recommends five layers of protection. The first three defensive walls revolve around the company’s information technology systems and architectures.
It is the fourth wall that’s vulnerable to the enemy from within.
Defensive Wall 1 is a network-based, external-facing layer, designed to block attacks from outside hackers. Using firewalls, managed security services and intrusion detection software, institutions can safeguard web transactions such as electronic bill payments. This is the only layer visible to the general public.
Defensive Wall 2 is designed to block attacks at the host-based level. This layer uses personal firewalls, spyware removal and quarantine software to protect the internal systems and devices, such as PC servers and workstations. Defensive Wall 2 provides a level of protection in the event that a hacker manages to get through Defensive Wall 1.
Defensive Wall 3 eliminates security vulnerabilities. This layer adds another tier of protection, guarding against any exploitation of vulnerabilities within the application layer or operating system. Sitting on the internal systems, this layer protects against vulnerabilities a hacker could exploit to capture customer credit information. It requires configuration management, application security testing, vulnerability management and penetration testing. Constant scanning of all internal systems and applications is a crucial responsibility for companies that wish to comply with this layer. Scanning provides IT professionals with a list of potential vulnerabilities.
It is in Defensive Wall 4-the people layer-that the enemy within can establish a stronghold. This layer is focused on safely supporting authorized users. All the organization’s systems are typically firewalled and guarded as entities unto themselves. This is where companies define who has access to which databases and systems.
For example, an agent handling billing inquiries could have access to customer billing history or account information, while an agent in customer service will only have access to limited customer information, such as name, address and service type. While in theory that may stop a customer service representative from stealing identity information found in the billing or account database, it does not stop that individual from tapping into the identity information stored in his or her approved customer database.
Simply put, even this innermost layer cannot protect against people who have been granted access to a particular server; they can still steal that customer information for profit. But by segmenting the information in different databases and limiting access to that information, an enemy from within could be prevented from stealing the full array of customer details.
Data and file encryption is a crucial element of this layer, but securing the data is not enough. At Wall 4, discretionary access control is also implemented to ensure that users only have access to the specific applications, databases and various system objects for which they have been approved.
The last layer, Defensive Wall 5, consists of tools utility companies can use to minimize business losses and maximize effectiveness. With this layer, organizations should have some level of regulatory compliance and forensics tools in their security portfolio, as well as an established disaster recovery plan and redundancy systems.
Tools that provide audit tracking can help quickly identify when an attack or security breach occurs and what exactly was compromised. This is extremely important for catching hackers and developing future protection plans. These tools also provide reporting data specific to the level of compliance for various government regulations, such as Graham-Leach-Bliley, HIPAA, Sarbanes-Oxley and FISMA. (For more information on these regulations please refer to the SANS website, www.sans.org.)
shoring-up your defenses
As yet, no technology exists that can guarantee against data theft at the hands of enemies from within. What can companies do to reduce the likelihood of identity theft inside their organizations? To determine the best course of action, start by asking these questions:
1. How are background checks for contact center agents conducted? Are references contacted? Are names checked against criminal databases? This is the one tangible tool that can be used to determine if an individual can be trusted with sensitive information.
2. How many defense walls will be implemented?
3. Are laptops used, and, if so, what type of information is stored on them? For instance, if an executive leaves his laptop behind at an airport, what security features have been built in so that no one else can access his confidential information?
4. Do call center and contact center employees sign affidavits saying they will not access customer information for personal use?
5. What system is in place for disabling network access when employees are terminated? What formal processes are in place for handling employee grievances and monitoring employee satisfaction?
6. Is there a list of all contact center employees with access to sensitive information? How often is the list updated? How often should security checks be conducted?
7. What is the procedure for assigning passwords? What level of encryption is used?
8. Should you check employee belongings when they leave the building?
9. Do you outsource any transactions? If so, how are vendors screened? Can they provide background checks for employees with access to your systems? Do they comply with industry standards for authentication? Do they have any vulnerabilities that match the FBI lists of the Top 20 systems issues?
Following the layered approach and adhering to guidelines like those presented in this article will help to keep the enemy from within at bay.
Chris Lawrence is a principal product manager at Aspect Software, the world’s largest company solely focused on the contact center, and a provider of innovative products and services that enable key business processes including customer service, collections, and sales and telemarketing for in-house and outsourced contact centers.