Banks in the US are being called on to do more to protect their information systems from the threat posed by insider cyber-attacks, following a detailed study of 23 such incidents by the US Secret Service and the Cert Co-ordination Centre at Carnegie Mellon University.
Researchers say the findings underscore the importance of organisations' technology, policies and procedures in securing their networks against insider threats, as most of the cases showcased in the report were perpetrated by insiders with minimal technical skills.
In 87% of the cases the insiders employed simple, legitimate user commands to carry out the attacks, and in 78% of the incidents, the insiders were authorised users with active computer accounts. Most were motivated by financial gain, with 30% of user organisations realising losses above $500,000.
The report states: "Management attention on financial performance, to the exclusion of good risk management practices, seems to be a recurrent theme in some of the cases in this study."
Reducing the risk of these attacks requires organisations to look beyond their information technology and security to their overall business processes, says the report authors.
The study confirms Gartner research, published in 2003, showing that insiders represent a significant and underappreciated class of threat agent. Gartner estimates that through 2008, insiders, working alone or with outsiders, will account for the majority of financial losses from the unauthorised use of computers and networks.
The analyst group recommends that financial service providers conduct a confidential inventory of all individuals with the technical skills, means or motivation to damage the company's systems or misuse information.
Firms should then look to reduce or eliminate the threat from these parties, wherever possible, by taking steps such as changing passwords and access rights immediately when an insider's status changes - for example, when an employee leaves, relationships with auditors or suppliers change or consultants complete a project.