Hi-Tech Security Solutions Hi-Tech Security Solutions
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
   
 




















 

The enemy within
March 2011, Access Control, Identity Management

Whether it is people making unauthorised payments or fraudulently changing identity data, insider crime is on the increase and the use of passwords is helping it grow.

James Redelinghuys of SuperVision Biometric Systems speaks of real cases where employees used fake password credentials to make several payments to bogus companies. “In a particular case, the person was making regular payments that fell just beneath the limit of his authorisation. And, incredibly, it had been happening for several years amounting to millions off the bottom line,” says Redelinghuys.

In a similar vein, it was reported in March this year that three officials in the marine and coastal management branch of the Department of Environmental Affairs had been suspended for alleged fraud. They were allegedly diverting into a private account donor funds from the Marine Fisheries Co-operation programme between Norway and SA.

The insider danger

The 2009 PwC Global Economic Crime Survey, www.pwc.com/za/gecs, shows that most workplace crime is now committed by insiders. Redelinghuys supports the provision of this type of information because he believes that organisations need to be far more proactive about controlling internal access to their IT systems: “External threats such as hacking receive a great deal more attention because they are not seen as the organisation damaging itself.

“We protect ourselves from the villains outside with firewalls and shields and are skilled at managing physical access. But we are nowhere nearly so diligent when it comes to controlling and monitoring what goes on inside our offices.”

However, it seems that the biggest threat is not external, it is increasingly coming from within. The IT-related crime happening inside organisations is the elephant in the room. Moreover, we ignore it at our peril – particularly during times of severe economic downturn and slow recovery.

Not without reason, the PwC survey is focused on economic crime in a downturn and more than three-quarters of SA respondents believe that threats are rising due to the current economic situation.

According to Louis Strydom, leader of PwC’s forensics practice in South Africa, “The global economic downturn has heightened the pressures and incentives to commit fraud. Economic crime is pervasive, persistent and pernicious. No organisation or industry is immune from the threat of fraud”.

Redelinghuys sees the insider threat via IT systems as taking three main forms:

Facing facts

The PwC survey found that 62% of economic crime against SA businesses was committed by employees. Worldwide, the insider figure was 53%. With results from 3037 companies in 55 countries, the survey shows that 60% of South African respondents had been affected in the last 12 months and 29% believe they will be hit in the future.

Ernst & Young’s 2009 Global Information Security Study surveyed some 1900 companies across 60 countries. The study reports that “it has long been generally accepted that authorised users and employees pose the greatest security threat to an organisation and that raising and maintaining the awareness level of those people is a crucial part of an effective information security strategy.’

More than 75% of the organisations expressed concern that disgruntled employees could sabotage their employers’ systems. Despite this potential data vandalism, only a quarter of organisations were taking steps to improve security around their physical and logical assets.

Yvette du Toit, senior manager of Risk Advisory Services at Ernst & Young South Africa, points out that while this country was spared the worst effects of the global recession, there is no doubt that the slowdown has cost jobs. “The premise of the likelihood of disgruntled ex-employees therefore holds; it is a risk which applies to companies in this country as much as it does to international organisations,” she says.

Passwords: the root of all evil?

Controlling system access and managing passwords is a big headache for IT departments. It is frustrating, time-consuming and costly. According to Secude, a secure sign-on provider for IT-giant SAP, studies show that we spend an average of seven minutes to search for or remember mislaid passwords. Gartner estimates that about a third of helpdesk calls are password-related and research firm, Forrester, reckons each of these helpdesk calls costs about $70.

Aside from the ongoing administrative problems and costs, we all know that passwords actively encourage us to simplify sign-ons. We write passwords on sticky-notes, share them, pop them into our phones and even keep them on spreadsheets. Driven by the need for speed and convenience, this happens every day in offices all over the world.

Passwords also leave the door wide open for insider crime and the increasing damage it is causing. The 2009 ‘Common Sense Guide to Prevention and Detection of Insider Threats’ provides a detailed assessment of insider crime based on 118 incidents. Produced under the auspices of the Computer Emergency Readiness Team (CERT) at the US Department of Homeland Security, the study found that passwords were a commonly used tool: 85% of insiders used their own passwords to commit crimes for immediate financial gain – as opposed to acts of data vandalism or data theft for longer-term business advantage.

Redelinghuys suggests that the use of passwords by insiders can be divided into the following main categories:

IT-based insider crime is bad for the bottom line. Insiders steal data and sell it to others. They modify data to enrich themselves, their families and friends. They are often bribed by outsiders to modify data and frequently they vandalise or publish sensitive data because of a grudge against the organisation. Redelinghuys highlights some of the common dangers as follows:

* Fraudulent payments: to bogus suppliers, through payroll and by diverting bona fide EFTs.

* Modifying data such as credit records, licences, identity documents.

* Theft of customer data and pricing structures.

* Theft of strategic information: mergers; acquisitions; cutbacks; alliances; product development.

* Property theft via fraudulent invoices, delivery notes / addresses.

* Sabotage: data vandalism and the ensuing costs of IT downtime, recovery and restoration.

Building identity chains

To end IT-based fraud around ID documents, Home Affairs is introducing this sort of biometric-based security. Earlier this year, the department said that it was tackling internal corruption and that biometric sign-on is being implemented.

Minister Nkosazana Dlamini-Zuma said that, “We want to identify who was involved at every step of the process – a definite paper trail, so if there is an allegation of corruption, then we can deal with it.”

With absolute certainty, biometric sign-on links the user to their transaction. It builds an identity chain that provides a powerful monitoring and audit trail, linking who did what, where and when. At the same time, it also creates a compelling deterrent to insiders.

Redelinghuys says that, “Biometrics in SA are tried, tested and proven – we have worked with them for over 10 years and fingerprint readers now manage physical workplace access for some 2 million SA employees on a daily basis. We see biometric sign-on as being the next big step forward within solutions that manage information security. Quite simply, biometrics makes passwords and all the damage they cause a thing of the past.”

Playing pass-the-password

* 85% of insiders used their own passwords to commit crimes for financial gain. Common Sense Guide to Preventing Insider Threats CERT: 2009. Carnegie Mellon University.

* One in three workers jot down their computer password, undermining their security. Nucleus Research and KnowledgeStorm.

* 61% of business managers share their passwords, compared to only 4% of IT managers. Ponemon Institute/ArcSight.

For more information contact SuperVision Biometric Systems, +27 (0)21 913 6075, www.supervision.co.za


  Share via Twitter   Share via LinkedIn      

Further reading:

  • The safest estate in Africa?
    April 2014, Xone Integrated Security, CCTV, Surveillance, Access Control, Perimeter Security, Alarms & Intruder Detection, Case Studies, Residential (Industry)
    A luxurious estate promises residents an unprecedented lifestyle experience, first-class healthcare, 24-hour security and a range of well maintained facilities, which include a 9-hole golf course, bowling greens, a heated swimming pool, and more.
  • Smartcard solutions for higher education
    April 2014, Asset Management, EAS, RFID, Identity Management
    Colleges and universities must keep their campuses safe in as cost-effective manner as is possible. At the same time, each school has its own set of unique demands and challenges, requiring flexible system architectures that satisfy today’s demands while providing the foundation to meet future security needs.
  • Integrate visitor management and access control
    April 2014, iPulse Systems, Access Control
    One of the crucial aspects of commercial security is visitor management. Hi-Tech Security Solutions approached Gary Chalmers, CEO of iPulse, to find out who’s doing what and how visitor management has evolved from the tattered old visitor’s book that Superman filled in many times each day.
  • Visitor management solution from Gallagher
    April 2014, Gallagher Security , Access Control
    The Visitor Management System provides improved client-server connectivity on modern corporate IT networks; automatic application updates; automatic removal of access on visit-completion among other attributes.
  • Wireless technology empowers visitor management
    April 2014, Powell Tronics, Access Control
    Technology has enabled bespoke visitor management solutions to deal with the shortcomings of the manual book system employed by many facilities worldwide over the past few years.
  • GSM intercom solution
    April 2014, Centurion Systems, Access Control
    G-SPEAK is a new range of GSM-based intercom systems from Centurion Systems.
  • Groote Schuur Hospital ­upgrades to ­biometrics
    April 2014, Castle Access Control Systems, Access Control, Identity Management
    In 2013, Groote Schuur Hospital took another step into the future, when it upgraded its RFID access cards and tags to include fingerprint biometric access to certain areas. The Granding biometric devices were supplied by Castle Access Control Systems and installed by Keep Electronics.
  • The future of authentication
    April 2014, Access Control, Identity Management
    SlickLogin focuses on a very important piece of the authentication puzzle – ease and simplicity for the user. The idea of just placing your phone near your laptop to logon sounds cool and simple.
  • FIDO Alliance opens its security standards to the public
    April 2014, Access Control, Identity Management
    The FIDO (Fast IDentity Online) Alliance, a security-minded industry consortium that includes tech giants such as Google, Netflix, and PayPal has released a public draft of new security standards that could someday make user passwords a thing of the past.
  • EntraPass v6.01 with exacqVision VMS integration
    April 2014, Tyco Security Products, Access Control, Identity Management
    EntraPass v6.01 features an integration with the cross-platform, open architecture exacqVision video management system (VMS) from Exacq.
  • Solar-friendly GateMate by Cartell
    April 2014, Access Control, Identity Management
    Cartell introduces the solar-friendly GateMate (CP-3) self-contained Free Exit System, offering the lowest stand-by current draw in the industry.
  • Secure ID at last
    April 2014, Access Control, Identity Management
    New ID cards will ensure that citizens can vote securely and help protect social grants. Each South African will, once issued with a smart ID card, have a secure, verifiable and digital identity.

 
 
 
Search...
Hi-Tech Security Solutions Business Directory


         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.