CyberSecurity Institute

In 87% of the cases the insiders employed simple, legitimate user commands to carry out the attacks, and in 78% of the incidents, the insiders were authorised users with active computer accounts. Most were motivated by financial gain, with 30% of user organisations realising losses above $500,000.

The report states: “Management attention on financial performance, to the exclusion of good risk management practices, seems to be a recurrent theme in some of the cases in this study.” Reducing the risk of these attacks requires organisations to look beyond their information technology and security to their overall business processes, says the report authors.

The study confirms Gartner research, published in 2003, showing that insiders represent a significant and underappreciated class of threat agent.
Gartner estimates that through 2008, insiders, working alone or with outsiders, will account for the majority of financial losses from the unauthorised use of computers and networks.

The analyst group recommends that financial service providers conduct a confidential inventory of all individuals with the technical skills, means or motivation to damage the company’s systems or misuse information. Firms should then look to reduce or eliminate the threat from these parties, wherever possible, by taking steps such as changing passwords and access rights immediately when an insider’s status changes – for example, when an employee leaves, relationships with auditors or suppliers change or consultants complete a project.

http://www.finextra.com/topstory.asp?id=12404

The principles are intended to guide firms and regulators to maintain high standards of corporate governance and risk management in an environment of rapid IT innovation and a high reliance on external service providers.

The Joint Forum consists of the Basel Committee on Banking Supervision, the International Organization of Securities Commissions, and the International Association of Insurance Supervisors.

In summary, regulated entities should:

– Assess whether and how activities can be appropriately outsourced, under the aegis of the board of directors.
– Establish a comprehensive outsourcing risk management program.
– Prevent outsourcing from impeding regulatory supervision or disrupting customer obligations.
– Conduct appropriate due diligence when selecting third-party service providers.
– Use written contracts to govern all material aspects of outsourcing relationships.
– Establish and maintain contingency plans with service providers.
– Ensure that confidential information is protected from unauthorized disclosure.

On the last point, regulators have taken note of the potential vulnerability in having too many banks using too few service providers, or having several banks share a common disaster recovery site.

The report states: “When a limited number of outsourcing service providers (sometimes just one) provide outsourcing services to multiple regulated entities, operational risks are correspondingly concentrated, and may pose a systemic threat.”

The Joint Forum recommends risk mitigation tools including adequate contingency planning by regulated entities, ongoing monitoring and awareness, supervisory programs and risk assessments.

http://www.bankinfosecurity.com/?q=node/view/1593