This book sets out nine essential reference guides and principles that can be used by crime prevention practitioners, security managers, criminologists, HR personnel and researchers for effective prevention of internal information theft in retail businesses.
Chapter 1 has provided an understanding of internal information theft in the context of retail business. Internal information theft has been identified, in most cases, as a deliberate stealing of business/customer information as a result of employees being overly trusted with few security and crime prevention controls.
Chapter 2 provided an analysis of the characteristics of perpetrators of internal information in retail businesses. It answered basic questions related to how and when internal information theft-related crimes are perpetrated, who perpetrates the crimes and why. Some of the answers to the question of when are: during retail business operations and during maintenance. As for the question of why information thefts are perpetrated, the common answers include for financial gains and through rationalisation. The methods of perpetration include use of legitimate system commands; exploitation of known or newly discovered design flaws in systems; collaboration; coercion; infiltration and social engineering. And the perpetrators can be managers, employees or technicians. In summary a perpetrator of internal information theft can be described as follows:
Impact of information theft |
Causes and motivations for internal information theft |
Methods of information theft |
Financial costs: huge budget allocation goes into job recruitment, training, data security, software security, investigation, court and information security auditing; • Losses: loss of customers trust; job loss; damage to business name. • Inestimable cost and loss: the actual records of approximate loss and cost may not be quantified. |
• Financial gain: perpetrators use the stolen data for commercial or monetary gain e.g., opening a bank account, applying for a loan/credit card, to obtain goods or access facilities or services; • Cost of data security: human weaknesses in relation to conflicting operation demands they are being placed upon; • Socio-economic issues: family issues and cultural backgrounds; lifestyle, personal issues such as vicissitudes; • Vulnerability of data security: leakages, loss of gadgets, misplaced or forgotten access paths and complexity of security operation; • Availability of customer data because of business operations and processes using cards. |
• Stealing with paper, pen, wallet, recording, typing and copying; • Redirecting customers order to different address, selling of the data on the black market; • organised crime—collusion, collaboration and infiltration, computer means, hacking; • Research of customers ‘personal information’, buying customer data from employees with unrestricted access |
Chapter 3 explains the operations of retail business and the implications for internal information theft prevention. This chapter has provided knowledge of the roles management plays as people in the prevention of internal information theft and discussed how people, process and technology can be integrated to implement effective internal information security. A more technologically advanced retail company with better information processing guided by effective security management is more capable of preventing internal information theft than one without.
The integrated security and governance systems in smaller retail companies are generally weak. Indeed, the governance of some companies remains problematic, with lack of managements and inappropriate focus on critical security issues. There are requirements in some company data protection policies for employees to comply with but there is rarely substantial evidence that this is happening or that policies are being implemented effectively and monitored by security managements. Overall, they depend on technology-based software security neglecting the security capability of integrated security management oriented with people, process and technology.
Chapter 4 explored the available information theft prevention frameworks and their practical implementation issues. Most of the frameworks have attributed their failure to the lack of clear roles and responsibilities given to security managers and administrators. The generic frameworks and practices for prevention of internal information theft were not appropriate, although some (e.g., integrated security management and information security audit) have improved significantly over the recent years. The view of this chapter is that there is a need to design a comprehensive framework that would incorporate process, people and technology. And the independent use of software technology in preventing internal information theft is not enough. Nevertheless, the general view of this chapter is that checks and security controls in retail in relation to the prevention of information theft are still weak and need to be improved. The weaknesses in the system are at several levels:
Chapter 5 reflects on information security challenges in preventing internal information theft. This chapter explores the challenging issues of whether online retail companies have the capacity or skills required to fulfil their roles in preventing internal information theft. Some of the challenging issues identified are that neither the retail companies nor regulatory bodies (e.g., police, information/data protection regulators) are ‘fit enough’ with respect to guarding against information theft. The ability of retail companies to control intangible perpetration mechanisms (e.g., infiltration and social engineering) that do not involve ‘much money’ seems almost non-existent. Hopes that the law enforcement agencies (e.g., police) would address these issues are low. These are certainly that most challenging issues that will need to be addressed in relation to the new approach. The retail management should broaden their security capability and priority by aligning their roles with emerging challenges and implementing collaborative management. This effort, if implemented effectively, would counter the broader sense that retail company security system management lacks clarity of roles and is overly disjointed, from complementary managements to law enforcement agencies.
Chapter 6 explains the concept of collaborative internal information theft prevention and how this concept can be applied in retail businesses. Although the benefits and impact of integrated management overall remain contested, there is substantial evidence that collaborative security practices can work in addressing information theft prevention challenges.
The integration of people, process and technology has been proven to improve systems security where the independent use of technology-based software security has not proved effective. Retail companies need to intervene and adopt this new approach to secure their proprietary information. Security managers should take a bold step in adapting to the advancement of internal information theft schemes and develop a robust system over time: they should not invest solely on IT security, which might risk other projects, given the cost of advancing IT security.
Nevertheless, company policies demand that managers must be able to account for every area of business investment being balanced as intended. At present, it seems that interpretation of what this means in practice is largely left to the retail companies’ boards and IT security managers to decide. Most worryingly, it seems that some essential prevention practices (e.g., security risk assessment, contingency plans and crimes investigation) are being signed off within the existing retail companies’ policies to save the cost of continuing IT security maintenance. The recommendations of this chapter include key elements of a role-based model for preventing information theft:
Chapter 7 provided knowledge of the application of collaborative security management in selected UK retail companies. This chapter presents results of cross-case analysis in selected UK retail companies, to show the benefits of collaborative management in the use of an information security audit (ISA). It is important that management should review the current services which permit access to proprietary resources (e.g., servers, web application, customer detail) that are in their business operations and those that are contracted to partners and outsourcing agencies. This should include detailed analysis of whether existing security risks are indeed analysed and, if not, how the services and/or contract could be policed in practice.
Management should consider whether further steps are required to strengthen the regulations for data protection and security governance with partners. For example, we understand why outsourced retail companies often have to rely heavily on external security auditors, but we believe it should be possible for external and internal security auditors to work together. Ideally, no outsourced companies would take up the cost of auditors, but they should be encouraged to appoint part-time auditors to ensure sound security and share responsibilities with outsourcing bodies. The view of this chapter is that any such services and maintenances are potential security risks for employees and outsiders to collude, and should be monitored.
Collaborative information security audits involving cross-functional management can improve security and help to assess whether there are gaps in their roles alignments in analysing crime incidents.
Chapter 8 looks beyond practical implementation of security tools in prevention of internal information theft. It explores the application of crime prevention theories to internal information theft. The management should incorporate knowledge of other crime prevention frameworks across disciplines to tackle the complex and multifaceted nature of internal information theft. Because information theft is mostly motivated by socio-economic issues, the services of psychologists and criminologists, for instance, should be sought occasionally to contribute to employee well-being.
Chapter 9 advises on the recommended security practices garnered from renowned IS security consulting firms and research experts. Information security strategies are practices that ensure that employees do not steal and leak sensitive/critical retail business information. The strategies include software products that can help security professionals control what information employees can process during retail operation. The managements should implement the key technical security and monitoring processes, which include:
The recommendations are meant to direct IT security and crime prevention managements to lessons drawn from information theft case analysis and strategic data security practices. Thus, the recommendations are focused on the specific issues on how to prevent and minimise occurrences of internal information theft. Thus, the recommendations focused on the more specific issue of how to prevent and minimise occurrences of internal information theft:
The socio-economic and security impacts of internal information theft overall remain high. However, there is a strong argument that security and crime prevention managements are working hard to address the impact on retail companies that face real challenges and where the IT security has not proved effective. It seems strategic that IT security and crime prevention management need cooperation of other management bodies to intervene and make decisions in the interest of customers and to secure online transactions. Equally, there is a universal recognition that information theft is not restricted to ‘within’ the retail environment: there are numerous examples of internal information theft cases that involved external parties (e.g., outsourcing agents, contractors and criminal gangs via collaboration, social engineering, coercion and collusion). Any consideration of ways to prevent internal information theft in retail companies should aim for an appropriate integration between software security and human-oriented security. This integration would allow the devolvement of every member of management, which does not inadvertently prevent managers from fulfilling their roles in preventing information theft or from being incentivised to do so.
Nevertheless, the PCI DSS and existing legislation/regulations state that retail companies must be able to ensure that payment card data is kept safe both during and after transactions.
At present, it seems that the interpretation of what this means in practice is largely left to individual retail companies and their managements to decide. The frameworks and systems for guiding and regulating how they do that are being challenged more than they were a few years ago; more so, the general sense from both the literature and evidence collected for this study is that the checks and balances are still weak. This is partly because the capacity and skills of IT security and crime prevention management are insufficient to deal with the sheer number of internal information incidents in retail companies.
In addition, the analyses of internal information theft cases suggest that many employees’ dishonest acts are being signed off due to overdependence on software security and management oversight.
Meanwhile, the contribution of managements in preventing internal information theft remains challenging, with too vague roles and inappropriate focus on exclusively technical software security. Over time, researchers and security experts may be able to discern more integrated and structured management approaches for effective information theft prevention in retail businesses. For example need to ask the question of whether more distributed internal security decision making across member management reduces the risk of information theft or not. Hope is high that security and crime prevention managers will apply the analyses and recommendations of this book to address the multifaceted challenges of internal information theft, not only in retail business, but across other business sectors.
Anti-Phishing Working Group (APWG). (2014). ‘Phishing activity trends report: Unifying the global response to cybercrime, 1st Quarter, 2014’. Available: http://docs.apwg.org/reports/apwg_trends_report_q1_2014.pdf, Accessed 10 June 2014.
Association of Certified Fraud Examiners (ACFE). (2014). ‘Report to the nations on occupational fraud and abuse: Global fraud study’. Available: http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf, Accessed 20 April 2014.
British Retail Consortium (BRC). (2013). ‘Retail crime survey’. Available: http://www.brc.org.uk/ePublications/BRC_Retail_Crime_Survey_2013/, Accessed 10 April 2014.
Cappelli, D.M., Moore, A.P., Shimeall, T.J. and Trzeciak, R.J. (2006). ‘Common sense guide to prevention and detection of insider threats: Version 2.1’. Report of Carnegie Mellon University, CyLab, and the Internet Security Alliance, July 2006 (update of the April 2005 Version 1.0). Available: http://www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.1–1–070118.pdf.
CIFAS: The UK’s Fraud Prevention Service. (2013). ‘The true cost of insider fraud, centre for counter fraud studies’, pp. 1–11. Available: https://www.cifas.org.uk/secure/contentPORT/uploads/documents/External-CIFAS-The-True-Cost-of-Internal-Fraud.pdf, Accessed 4 January 2014.
Financial Fraud Action UK. (2014). ‘Fraud the facts 2014: The definitive overview of payment industry fraud and measures to prevent it’. Available: http://www.financialfraudaction.org.uk/download.asp?file=2796.
Haley, C. (2013). ‘A theory of cyber deterrence’. Georgetown Journal of International Affairs. Available: http://Journal.Georgetown.Edu/A-Theory-Of-Cyber-Deterrence-Christopher-Haley/, Accessed 23 April 2014.
Home Office. (2013). ‘Cybercrime: A review of the evidence-Summary of key findings and implications’. Home Office Research Report 75, pp. 4–20.
IdentityForce Report. (2014). ‘Identity theft protection with identity force’. Available: http://www.asecurelife.com/identity-force/, Accessed 12 July 2014.
Office for National Statistics (ONS). (2014). ‘Report for crime in England and Wales’. Available: http://www.ons.gov.uk/ons/rel/crime-stats/crime-statistics/period-ending-march-2014/index.html, Accessed 22 August 2014.
PriceWaterCoopers (PWC). (2014). ‘Information Security Breach Survey (ISBS) technical report’. Available: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/307296/bis-14–767-information-security-breaches-survey-2014-technical-report-revision1.pdf, Accessed 2 April 2014.
Verizon. (2014). ‘Data breach investigation report’. Available: rp_Verizon-DBIR-2014_en_xg%20.pdf, Accessed 3 May 2014.
3.144.21.190