Banks unaware of the criminal mole problem

Intriguing to hear a podcast late last week on the Infosecurityadvisor.com Web site by Peter Wood - a member of the ISACA Conference Committee - about how easy it is steal data from companies.

In the podcast, Wood, who is also the founder of First Base Technologies, revealed how he and a pal walked unchallenged into an insurance company and were able to steal all their data as part of a security exercise.

And, he said, he's not the only one to get away with stealing data; very often, he says, companies unwittingly hire people whose sole purpose is to steal data.

"Some people in the banking community have quietly and anonymously said to me over the last year that they have found employees who have been placed in their company by criminal gangs and they have been operating as moles over that period," he explained.

The problem, says Wood, is that firms make the mistake of storing sensitive and confidential data in one place, making it very easy for crims to steal data.

According to Wood, intellectual property or large credit card data bases are probably the primary targets and, since a single flash drive can now store an entire company database, one hit is all it takes to give the crims what they want.

So how can you stop your database from walking out of the door in a new employee's pocket?

Wood says that people are the most important part of the security equation, because, if people are given some baseline education on how to look for criminal activity then they can be the greatest asset for their employers.

"I think there is a huge gulf between the technical controls that firms put in place and the human plus human resources control and the physical premises control," he said, adding that there is little or no communication between the three areas and it's through the gaps that result, that crims can operate unchallenged.

The solution, Wood went on to say, is quite simple, and revolves around three main concepts:

* Good quality vetting of staff and third parties,

* An awareness campaign that is intelligently designed and has a strong focus to encourage and inform people, and,

* Conducting regular meetings with HR, physical security, IT security and the business to provide a holistic defence against an attack.

You can listen to the podcast here...