Technology is not, it seems, the only answer for this age-old "insider threat" based in humanity.
Finishing up our series, "Security perspectives on call center ID theft risks," we ask how a CIO could possibly protect data from being compromised by an insider with a very sharp memory, armed with pen and paper?
Last week, we examined the Hagen insider identity theft case, where a Bank of America employee filtered personal information from accounts over $100k into his personal stash to be sold later. As our last article mentioned, he was caught, but his only weapon was allegedly pen, paper and a sharp memory.
Data theft via insider collusion
The Hagen case occurred stateside and it is not isolated: the newly released 2010 U.S. Secret Service / Verizon Business research into data breaches, spotlighted the growing risk of insider collusion:
Often in these types of attacks, a disgruntled insider with access to sensitive information will act as an enabler by providing outside cybercriminals with corporate account information, such as authentication credentials. In the end, there often is no way to pin the crime on the external perpetrator so the insider winds up taking the fall and never even gets paid.
A majority of internal breaches were caused by regular employees, as opposed to accounting personnel, system administrators or upper management, who traditionally have more access rights to sensitive data.
In a recent email exchange, identity theft guru George Jenkins got me up to date with his latest research into call center risks, particularly from those located offshore:
Since I wrote that series in 2008, little has changed. Few reporters or bloggers write about the issues related to breach notification with offshore outsourcing. The breach notifications we consumers receive in the U.S. are still U.S.-only. It's relevant due to a global, interconnected economy.
In 2009, researchers at the University of New South Wales published a working paper about breach notification laws worldwide. The laws globally are emerging, and definitions aren't standardized. Theft is largely under-reported.
Call centers have real threats from insiders. Where background checks and employment history may weed out the criminals who intentionally penetrate call centers stateside, I am not aware of risk mitigation from external call centers hosted in India, the Ukraine, the Philippines and elsewhere.
This should be of considerable interest to any CIO who is right now considering how to structure offshore call center operations or whether to keep the operations stateside.
Top three proactive solutions mitigating the insider threat
As noted in Law 31 of the 33 Laws of War, there is a reversal or solution which should be of interest to the CIOs who must defend against the insider threat. Simply put:
Look for the saboteur within, but do not be paranoid. Treat your troops fairly and they will police themselves.
This strategy will include approaches not traditionally considered by CIOs and IT managers to be within their scope of operations. Referring once again to the leadership component of warfare, the 33 Laws of War has a simple yet complex human solution:
Satisfy, engage and unite your team. This denies an enemy the insider threat potential and builds morale of your team.
1. For a CIO to effectively combat the insider threat, the human element must be fully considered. By working closely with an HR department, the necessary fusion of leadership and role-based permissions can be developed into an interlocking defensive strategy.
2. Positive influence, including upward mobility and solid benefits, must be considered as important as server policy and role settings. Employees offered a career track with milestones, instead of just a transitory bill payment opportunity, will not be strongly incentivized to risk their future – if they have a definable future.
3. Consider that some satisfaction cannot be bought. Rather, look to engage and unite your team. Even better is the data showing that often employees may not want more money or benefits, often referred to as carrot and stick leadership. Instead, Daniel Pink documents that employees desire autonomy, mastery and purpose:
Drawing on four decades of scientific research on human motivation, Pink exposes the mismatch between what science knows and what business does – and how that affects every aspect of life.
He demonstrates that while carrots and sticks worked successfully in the 20th century, that's precisely the wrong way to motivate people for today's challenges.
In Drive, he examines the three elements of true motivation – autonomy, mastery and purpose – and offers smart and surprising techniques for putting these into action.
Ireland: 1, other call center locations: 0
One positive note about outsourced call center data security recently developed as this column was being researched.
Ireland, an island nation of 4 million, hosting a historically strong offshore call center presence, did not have compulsory data breach disclosure. As of June 2010, it now offers this protection.
If I were a CIO or IT manager considering offshoring corporate call center operations, I would now consider Ireland long before considering other countries with nebulous or untested data breach disclosure. The step in disclosure is one step in the right direction toward providing the best protection for corporate and consumer interest.
Are there any other offshore call center or data center locations which offer strong compulsory data breach disclosure? Let me know in the comments.