10 Summary of the Guide

10.1. Final Thoughts of the Chapters

This book sets out nine essential reference guides and principles that can be used by crime prevention practitioners, security managers, criminologists, HR personnel and researchers for effective prevention of internal information theft in retail businesses.

Chapter 1 has provided an understanding of internal information theft in the context of retail business. Internal information theft has been identified, in most cases, as a deliberate stealing of business/customer information as a result of employees being overly trusted with few security and crime prevention controls.

Chapter 2 provided an analysis of the characteristics of perpetrators of internal information in retail businesses. It answered basic questions related to how and when internal information theft-related crimes are perpetrated, who perpetrates the crimes and why. Some of the answers to the question of when are: during retail business operations and during maintenance. As for the question of why information thefts are perpetrated, the common answers include for financial gains and through rationalisation. The methods of perpetration include use of legitimate system commands; exploitation of known or newly discovered design flaws in systems; collaboration; coercion; infiltration and social engineering. And the perpetrators can be managers, employees or technicians. In summary a perpetrator of internal information theft can be described as follows:

  • trusted insider who abuses his trust to disrupt operations, corrupt data, exfiltrate sensitive information, or compromise an IT (information technology) system, causing loss or damage;
  • can be a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the companies’ information or information systems;
  • an employee (manager, shop-floor employee or other “member”) of a host company that operates a computer system to which the insider has legitimate access;
  • an associate, contractor, business partner, supplier, computer maintenance technician, guest, or someone else who has a formal or informal business relationship with the company;
  • anyone authorised to perform certain activities, for example, a company’s customer who uses the company’s system to access his or her account;
  • anyone properly identified and authenticated to the system including, perhaps, someone masquerading as a legitimate insider, or someone to whom an insider has given access (for example by sharing a password)
  • a former insider, now using previously conferred access credentials not revoked when the insider status ended or using access credentials secretly created while an insider to give access later;
  • someone duped or coerced by an outsider to perform actions on the outsider’s behalf.
  • when a criminal uses a fraudulently obtained card or card details, along with stolen personal information, to open or take over a card account held in someone else’s name.

Common forms of internal information theft derived from the case analysis

  • Unauthorized extraction, duplication, or exfiltration of data;
  • Unauthorised tampering (destruction and deletion of critical assets of data or records)
  • Downloading from unauthorized sources or use of pirated software which might contain backdoors or malicious code;
  • Eavesdropping and packet sniffing and spoofing and impersonating other users;
  • Social engineering attacks via collaboration and collusion;
  • Misuse of resources for non-business related or unauthorized activities;
  • Purposefully installing malicious software

Common characteristics of internal information theft derived from the case analysis

  • Actions were planned;
  • Motivation was financial gain;
  • Information theft acts were perpetrated while on the job;
  • Information theft cases were usually detected by non-security personnel;
  • Information cases were usually detected through manual procedures;
  • Most internal information theft acts required little technical sophistication.
Table 10.1  Summary of the Nature of Internal Information Theft

Impact of information theft

Causes and motivations for internal information theft

Methods of information theft

Financial costs: huge budget allocation goes into job recruitment, training, data security, software security, investigation, court and information security auditing;

• Losses: loss of customers trust; job loss; damage to business name.

• Inestimable cost and loss: the actual records of approximate loss and cost may not be quantified.

• Financial gain: perpetrators use the stolen data for commercial or monetary gain e.g., opening a bank account, applying for a loan/credit card, to obtain goods or access facilities or services;

• Cost of data security: human weaknesses in relation to conflicting operation demands they are being placed upon;

• Socio-economic issues: family issues and cultural backgrounds; lifestyle, personal issues such as vicissitudes;

• Vulnerability of data security: leakages, loss of gadgets, misplaced or forgotten access paths and complexity of security operation;

• Availability of customer data because of business operations and processes using cards.

• Stealing with paper, pen, wallet, recording, typing and copying;

• Redirecting customers order to different address, selling of the data on the black market;

• organised crime—collusion, collaboration and infiltration, computer means, hacking;

• Research of customers ‘personal information’, buying customer data from employees with unrestricted access

Chapter 3 explains the operations of retail business and the implications for internal information theft prevention. This chapter has provided knowledge of the roles management plays as people in the prevention of internal information theft and discussed how people, process and technology can be integrated to implement effective internal information security. A more technologically advanced retail company with better information processing guided by effective security management is more capable of preventing internal information theft than one without.

The integrated security and governance systems in smaller retail companies are generally weak. Indeed, the governance of some companies remains problematic, with lack of managements and inappropriate focus on critical security issues. There are requirements in some company data protection policies for employees to comply with but there is rarely substantial evidence that this is happening or that policies are being implemented effectively and monitored by security managements. Overall, they depend on technology-based software security neglecting the security capability of integrated security management oriented with people, process and technology.

Chapter 4 explored the available information theft prevention frameworks and their practical implementation issues. Most of the frameworks have attributed their failure to the lack of clear roles and responsibilities given to security managers and administrators. The generic frameworks and practices for prevention of internal information theft were not appropriate, although some (e.g., integrated security management and information security audit) have improved significantly over the recent years. The view of this chapter is that there is a need to design a comprehensive framework that would incorporate process, people and technology. And the independent use of software technology in preventing internal information theft is not enough. Nevertheless, the general view of this chapter is that checks and security controls in retail in relation to the prevention of information theft are still weak and need to be improved. The weaknesses in the system are at several levels:

  1. The security practices governing mitigation of internal information theft—in particular ‘at cost’ requirement—are insufficiently robust.
  2. Mechanisms to identify and address the more intangible ways of carrying out internal information theft schemes (e.g., collaboration; coercion; infiltration and social engineering) in the wider system are almost non-existent.
  3. Some partner companies are not adhering to underlining security guidance/practices and/or are not doing enough to mitigate the security risks. This appears particularly likely in the younger, fast growing online retail companies.
  4. The capacity and skills of the outsourcing companies that work with auditing managements are insufficient to ‘get below the surface’ of what is going on (and in any case are not designed to be preventative).

Chapter 5 reflects on information security challenges in preventing internal information theft. This chapter explores the challenging issues of whether online retail companies have the capacity or skills required to fulfil their roles in preventing internal information theft. Some of the challenging issues identified are that neither the retail companies nor regulatory bodies (e.g., police, information/data protection regulators) are ‘fit enough’ with respect to guarding against information theft. The ability of retail companies to control intangible perpetration mechanisms (e.g., infiltration and social engineering) that do not involve ‘much money’ seems almost non-existent. Hopes that the law enforcement agencies (e.g., police) would address these issues are low. These are certainly that most challenging issues that will need to be addressed in relation to the new approach. The retail management should broaden their security capability and priority by aligning their roles with emerging challenges and implementing collaborative management. This effort, if implemented effectively, would counter the broader sense that retail company security system management lacks clarity of roles and is overly disjointed, from complementary managements to law enforcement agencies.

Chapter 6 explains the concept of collaborative internal information theft prevention and how this concept can be applied in retail businesses. Although the benefits and impact of integrated management overall remain contested, there is substantial evidence that collaborative security practices can work in addressing information theft prevention challenges.

The integration of people, process and technology has been proven to improve systems security where the independent use of technology-based software security has not proved effective. Retail companies need to intervene and adopt this new approach to secure their proprietary information. Security managers should take a bold step in adapting to the advancement of internal information theft schemes and develop a robust system over time: they should not invest solely on IT security, which might risk other projects, given the cost of advancing IT security.

Nevertheless, company policies demand that managers must be able to account for every area of business investment being balanced as intended. At present, it seems that interpretation of what this means in practice is largely left to the retail companies’ boards and IT security managers to decide. Most worryingly, it seems that some essential prevention practices (e.g., security risk assessment, contingency plans and crimes investigation) are being signed off within the existing retail companies’ policies to save the cost of continuing IT security maintenance. The recommendations of this chapter include key elements of a role-based model for preventing information theft:

  • Management should be given clear roles regarding information theft, and these roles should be constantly reiterated;
  • Management should be collaborative (e.g., sharing crimes incident analysis, risk evaluation reports, security audit details) in their functional roles;
  • Integration of people, process and technology for any adoption of preventive strategy should be considered.
  • Ensure proper education and awareness on the part of employees and customers towards prevention of internal information theft;
  • Take issues of internal information theft as a corporate social responsibility to consult and engage with stakeholders and employees;
  • Clearly document and consistently enforce policies and controls by instituting periodic security awareness training for all employees; and
  • Develop an incident response plan to control the damage from internal information theft perpetrators, assist in the investigative process, and incorporate lessons learned to continually improve the plan.

Chapter 7 provided knowledge of the application of collaborative security management in selected UK retail companies. This chapter presents results of cross-case analysis in selected UK retail companies, to show the benefits of collaborative management in the use of an information security audit (ISA). It is important that management should review the current services which permit access to proprietary resources (e.g., servers, web application, customer detail) that are in their business operations and those that are contracted to partners and outsourcing agencies. This should include detailed analysis of whether existing security risks are indeed analysed and, if not, how the services and/or contract could be policed in practice.

Management should consider whether further steps are required to strengthen the regulations for data protection and security governance with partners. For example, we understand why outsourced retail companies often have to rely heavily on external security auditors, but we believe it should be possible for external and internal security auditors to work together. Ideally, no outsourced companies would take up the cost of auditors, but they should be encouraged to appoint part-time auditors to ensure sound security and share responsibilities with outsourcing bodies. The view of this chapter is that any such services and maintenances are potential security risks for employees and outsiders to collude, and should be monitored.

Collaborative information security audits involving cross-functional management can improve security and help to assess whether there are gaps in their roles alignments in analysing crime incidents.

Chapter 8 looks beyond practical implementation of security tools in prevention of internal information theft. It explores the application of crime prevention theories to internal information theft. The management should incorporate knowledge of other crime prevention frameworks across disciplines to tackle the complex and multifaceted nature of internal information theft. Because information theft is mostly motivated by socio-economic issues, the services of psychologists and criminologists, for instance, should be sought occasionally to contribute to employee well-being.

Chapter 9 advises on the recommended security practices garnered from renowned IS security consulting firms and research experts. Information security strategies are practices that ensure that employees do not steal and leak sensitive/critical retail business information. The strategies include software products that can help security professionals control what information employees can process during retail operation. The managements should implement the key technical security and monitoring processes, which include:

  • Log, monitor, and audit employee online actions;
  • Restrict access to personal identifiable data/information;
  • Pay special attention to those in special positions of trust and authority with relatively easy ability to perpetrate high value crimes (e.g., desk staffers, accountants and managers).

10.2 Recommendations for Security and Crime Prevention Management

The recommendations are meant to direct IT security and crime prevention managements to lessons drawn from information theft case analysis and strategic data security practices. Thus, the recommendations are focused on the specific issues on how to prevent and minimise occurrences of internal information theft. Thus, the recommendations focused on the more specific issue of how to prevent and minimise occurrences of internal information theft:

  1. Proactive information security and control: Management should recognise the personal predispositions of their employees/contractors and understand the impact they have on internal security risks.
    • First, retail companies should manage the expectation of employees to minimise unmet expectation. This can be achieved through communication between managers and employees in the form of regular employee reviews, taking action to address employee dissatisfaction when possible and consistent enforcement of policies for all employees so that individual employees do not come to feel that they are above the rules or that the rules are unjustly applied. When the expectations of the insiders are in line with the retail practices and policies, unmet expectations are not an issue.
    • Second, companies can institute an acceptable use policy, describing the employee’s roles and responsibilities when using the company’s information systems. The policy should be given to each employee as part of their orientation. As changes to the policy occur, employees need to be made aware of the changes and the impact to them. In addition, the policy should be consistently enforced for all employees so that no employees may feel that they are above the rules.
    • Third, managers, in conjunction with Human Resources, can clearly define job responsibilities for each employee. Processes such as performance reviews can be used to check and set expectations periodically.
    • The management should review the current services which permit access to proprietary resources (e.g., servers, web application, customer detail) being contracted to partners and outsourcing agencies. This should include detailed analysis of whether existing security risks are indeed analysed and, if not, how the services and/or contract could be policed in practice. Our view is that any such services and maintenances are potential information theft risks for employees and outsiders to collude, and should be monitored;
  2. Handling employees’ disgruntlement through effective intervention: As retail companies discover the behavioural precursors exhibited by dishonest employees, they can employ positive intervention strategies to lower the disgruntlement of the insider. While the intent of employee sanctioning may be to reduce undesirable behaviours, it may backfire in some cases. Disgruntlement increases, leading to more disruptive behaviour. When positive intervention is used, the disgruntlement might be reduced, eliminating additional behavioural precursors, as well as the escalation to technical precursor behaviours. The management should review the arrangement for the security and crime prevention team to assess whether there are gaps in their roles alignments in analysing crimes incidents. Our view is that poorly defined management roles can be a stressor for employees, and disgruntled employees emerge whenever roles go against their personal values;
  3. Targeted monitoring of employees activities: It is usually not practical for a retail company to monitor every behavioural and technical action taken by each employee. However, a reasonable level of proactive logging of online activity across the organization’s network provides data that can be monitored or audited for suspicious activity proactively, or targeted to monitor people who have suspicious activities.
    • Based on findings from the cases analyses, for example, periodic account audits could be effective in detecting backdoor accounts that could be used for malicious employees’ activities. As the perceived risk of an insider attack increases, due to detection of behavioural or technical precursors, the amount of technical and behavioural monitoring should also increase. Enhanced monitoring could lead to discovery of precursor activity, enabling the company to identify individuals at a higher risk for criminal behaviour and implement more targeted individual monitoring. If a manager notices an employee progressing through the pattern of dishonest behaviour, he might consider an audit of that employee’s online activity, and, if the actions are extreme enough, perhaps escalate the level of logging of that employee’s online activity. Note that policies should be in place in advance of such targeted monitoring; an organization should not perform these actions without consulting with their legal department in advance.
  4. Removing forgotten/unknown access paths to information systems: A company’s full awareness of access paths available to an insider is critical to being able to disable those access paths when needed. Literature on the management of risks of information theft suggested two issues of data theft through access paths: access paths known to companies and access paths unknown to organisations. Management or the IT staff may forget about known paths, making them unknown. The forgetting path represents access paths which can be moved from the known to the unknown category. For example, an IT security manager might authorize a software developer’s request for the system administrator password during a time of heavy development. Therefore, the system administrator password is an access path known to the organization at that point in time. If a formal list of employees with access to that password is not maintained, the manager could forget that decision over time. The manager may also simply resign from the company, leaving no “organizational memory” of the decision to share the system administrator password. In either case, the system administrator password has now become an access path unknown to the company. Similarly, the IT staff may discover unknown paths, making them known. Access paths can be discovered by monitoring network traffic or by computer system account auditing, for example. Monitoring network traffic allows discovering suspicious network traffic for further investigation. Account auditing allows discovering unauthorized accounts directly;
  5. Effective measures should be implemented during employment termination/demotion: Termination or demotion was the final precipitating event in many cases we examined. It is important that organizations recognize that such precipitating events may cause the insider to take technical actions to set up and carry out the attack possibly using previously acquired unknown access paths. A clearly defined process for demotions and terminations in combination with proactive IT best practices for detecting unknown access paths and eliminating unauthorized access paths can reduce the dishonest employee’s ability and/or desire to attack the organization. Prior to the demotion or termination, companies should be certain about what access paths are available to the employees. If the employee role is to be terminated, the company must disable all access paths prior to notifying the insider of the action. It is important to understand that if the company has been lax in tracking and managing access paths, it could be too late to confidently demote or terminate an employee without fear of retribution.
    • When a demotion occurs, the company should analyse the roles and responsibilities of the new position and update authorization levels and access controls, including role-based access. Some organizations in the cases we analysed overlooked the change in privileges, allowing the employee to retain privileges from their previous position, giving them access to information beyond that needed for their new position. In addition, expectation setting during a demotion or termination can be a deterrent against future attacks. The employee should be clearly told what the acceptable use policy is regarding their new position, what their roles and responsibilities are in their new role, what their performance improvement plan is (if one exists), and that future monitoring and auditing will be implemented to measure job performance against individual and organizational goals and objectives;
  6. Effective Implementation of administrative checks and controls through HR: Personnel (HR) rules and procedures for employees include “soft” administrative controls intended to prevent confidential data leakage. Examples include a corporate customer privacy policy or employee ethics training. Background checks in theory could screen out employees predisposed toward or with a history of careless or dishonest behaviour. However, our case analyses and reports from the literature have shown that some convicted inside criminals had prior arrests, throwing the efficacy of background checks into doubt. Corporate security or privacy policies may attempt to prescribe correct handling of sensitive information. However policies that aren’t supported by clear procedures, training, and tools are generally doomed to be ineffective or disregarded. The managements should consider whether further steps are required to strengthen the regulations for data protection and security governance with partners.
    • For example, we understand why outsourced retail companies often have to rely heavily on external security auditors, but we believe it should be possible for external and internal security auditor to work together. Ideally, no outsourced companies would take up the cost of auditors, but they should be encouraged to appoint part-time auditors to ensure sound security and shares responsibilities with outsourcing bodies;
  7. Collaborative security and information theft prevention initiative: The managements should conduct an enquiry session to understand whether the law enforcement agencies should be incorporated to contribute occasionally in their crime prevention forum. An alternative might be to require that law enforcement agencies become a non-departmental body rather than an independent body, thereby giving information theft prevention greater comprehensive consideration with managements. The management team should be multidisciplinary in structure to tackle complex and multifaceted nature of the crimes.

10.3. Conclusions

The socio-economic and security impacts of internal information theft overall remain high. However, there is a strong argument that security and crime prevention managements are working hard to address the impact on retail companies that face real challenges and where the IT security has not proved effective. It seems strategic that IT security and crime prevention management need cooperation of other management bodies to intervene and make decisions in the interest of customers and to secure online transactions. Equally, there is a universal recognition that information theft is not restricted to ‘within’ the retail environment: there are numerous examples of internal information theft cases that involved external parties (e.g., outsourcing agents, contractors and criminal gangs via collaboration, social engineering, coercion and collusion). Any consideration of ways to prevent internal information theft in retail companies should aim for an appropriate integration between software security and human-oriented security. This integration would allow the devolvement of every member of management, which does not inadvertently prevent managers from fulfilling their roles in preventing information theft or from being incentivised to do so.

Nevertheless, the PCI DSS and existing legislation/regulations state that retail companies must be able to ensure that payment card data is kept safe both during and after transactions.

At present, it seems that the interpretation of what this means in practice is largely left to individual retail companies and their managements to decide. The frameworks and systems for guiding and regulating how they do that are being challenged more than they were a few years ago; more so, the general sense from both the literature and evidence collected for this study is that the checks and balances are still weak. This is partly because the capacity and skills of IT security and crime prevention management are insufficient to deal with the sheer number of internal information incidents in retail companies.

In addition, the analyses of internal information theft cases suggest that many employees’ dishonest acts are being signed off due to overdependence on software security and management oversight.

Meanwhile, the contribution of managements in preventing internal information theft remains challenging, with too vague roles and inappropriate focus on exclusively technical software security. Over time, researchers and security experts may be able to discern more integrated and structured management approaches for effective information theft prevention in retail businesses. For example need to ask the question of whether more distributed internal security decision making across member management reduces the risk of information theft or not. Hope is high that security and crime prevention managers will apply the analyses and recommendations of this book to address the multifaceted challenges of internal information theft, not only in retail business, but across other business sectors.

Further Readings

Anti-Phishing Working Group (APWG). (2014). ‘Phishing activity trends report: Unifying the global response to cybercrime, 1st Quarter, 2014’. Available: http://docs.apwg.org/reports/apwg_trends_report_q1_2014.pdf, Accessed 10 June 2014.

Association of Certified Fraud Examiners (ACFE). (2014). ‘Report to the nations on occupational fraud and abuse: Global fraud study’. Available: http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf, Accessed 20 April 2014.

British Retail Consortium (BRC). (2013). ‘Retail crime survey’. Available: http://www.brc.org.uk/ePublications/BRC_Retail_Crime_Survey_2013/, Accessed 10 April 2014.

Cappelli, D.M., Moore, A.P., Shimeall, T.J. and Trzeciak, R.J. (2006). ‘Common sense guide to prevention and detection of insider threats: Version 2.1’. Report of Carnegie Mellon University, CyLab, and the Internet Security Alliance, July 2006 (update of the April 2005 Version 1.0). Available: http://www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.1–1–070118.pdf.

CIFAS: The UK’s Fraud Prevention Service. (2013). ‘The true cost of insider fraud, centre for counter fraud studies’, pp. 1–11. Available: https://www.cifas.org.uk/secure/contentPORT/uploads/documents/External-CIFAS-The-True-Cost-of-Internal-Fraud.pdf, Accessed 4 January 2014.

Financial Fraud Action UK. (2014). ‘Fraud the facts 2014: The definitive overview of payment industry fraud and measures to prevent it’. Available: http://www.financialfraudaction.org.uk/download.asp?file=2796.

Haley, C. (2013). ‘A theory of cyber deterrence’. Georgetown Journal of International Affairs. Available: http://Journal.Georgetown.Edu/A-Theory-Of-Cyber-Deterrence-Christopher-Haley/, Accessed 23 April 2014.

Home Office. (2013). ‘Cybercrime: A review of the evidence-Summary of key findings and implications’. Home Office Research Report 75, pp. 4–20.

IdentityForce Report. (2014). ‘Identity theft protection with identity force’. Available: http://www.asecurelife.com/identity-force/, Accessed 12 July 2014.

Office for National Statistics (ONS). (2014). ‘Report for crime in England and Wales’. Available: http://www.ons.gov.uk/ons/rel/crime-stats/crime-statistics/period-ending-march-2014/index.html, Accessed 22 August 2014.

PriceWaterCoopers (PWC). (2014). ‘Information Security Breach Survey (ISBS) technical report’. Available: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/307296/bis-14–767-information-security-breaches-survey-2014-technical-report-revision1.pdf, Accessed 2 April 2014.

Verizon. (2014). ‘Data breach investigation report’. Available: rp_Verizon-DBIR-2014_en_xg%20.pdf, Accessed 3 May 2014.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.21.190