Data Theft - get serious about security!
Andre Yee’s latest blog on Privacy, Information Theft and Security is prompted by yet more information disclosures, and makes the point that its sloppy process that is allowing this to happen. When will we get more serious about security? He’s absolutely right.
In many cases an insider is involved, colluding with accomplices on the outside. This recent case involved a member of staff in HSBC’s back office operations in India, leading allegedly to losses of $425,000. HSBC say that existing operational procedures (unspecified) identified the fraud. While we have to congratulate HSBC for ‘fessing up and for prosecuting the alleged offender, I’m alarmed that their existing procedures don’t kick in until $425k has been lost.
What is astounding is that while all financial institutions have a comprehensive audit trail, very few of them actually do anything proactive with it.
Bizarre as it may sound, the audit trail is rarely looked at – in fact it’s often only examined after a breach has come to light, and then only to size the problem. Note here that I didn’t say that it is used for gathering evidence, simply because these incidents are often dealt with more discretely. Despite terminating thousands of staff for dishonesty each year, as an industry, financial institutions (HSBC aside) are among the most secretive when it comes to prosecuting insider theft. After all, who wants to trust your hard earned savings to banks with a dishonesty problem?
Of course this issue is all the more topical due to the current fad of outsourcing customer service functions to cheaper locations globally. Who’s policing these remote sites? Who’s checking the audit log for inappropriate access to confidential data?
Government might ultimately weigh in here. While driven by mass data thefts, new federal legislation, in the form of the US Data Accountability and Trust Act (DATA), is undoubtedly coming that will require disclosure of any compromise of personal confidential data. That’s the theory at least, though DATA looks likely to be so watered down it will be ineffective when it eventually arrives.
So I suspect that while legislation will force disclosure under some circumstances, it’s a sorry state of affairs that we need legislation in the first place. What’s really needed is better security – yes we need to look at those audit logs every day, preferably automatically to validate the transactions that are being done on our systems. Validating the transactions will enable financial institutions to find data breaches when they are still minor, and before they grow into a public spectacle.
It’s a simple choice – fix the problem at source, or wait for a big data theft to hit you and then you too can have your fifteen minutes of fame.
