Government agencies around the globe are at risk from within. Just as in the private sector, more error and misuse occurs from internal employees and partners and suppliers than from anyone else. A recent study from Price Waterhouse Coopers indicates that the problem may be getting worse. According to the consultancy’s latest Global Economic Crime Survey, nearly half of organizations in the public sector have been hit by economic crime in the past 12 months. Cyber crime, employee and supplier fraud in particular are on the rise. The survey also found 46 per cent of respondents had experienced one or more incidents of such crime in the past year. That’s quite a jump from 37 percent in 2009 and considerably higher than the average of 34 per cent across all sectors.
Some of the other key findings from the survey are equally alarming:
• More than two-thirds of the crimes experienced in the past 12 months were committed by public sector employees, compared with just over half in 2009.
• Supplier fraud jumped from 13 per cent to 32 per cent over the same period.
• Over 50% of those surveyed said they had the resources to detect cyber crime, but most lack the forensic capabilities needed to investigate such incidents.
Source: 2011 Global Economic Crime Survey, PWC: http://www.pwc.com/en_GX/gx/economic-crime-survey/assets/GECS_GLOBAL_REPORT.pdf
Further, the study links this rise in activity to the cuts in public sector spending—a trend that is likely to continue and deepen if the current economic reality remains unchanged.
Government agencies are clearly struggling to address internal fraud. Their efforts are complicated by shifting compliance requirements, impaired visibility into user activity, legacy systems that house mission-critical processes, and the limited effectiveness of existing controls and traditional logging capabilities.

The statistics are startling: In April 2012 alone, three major security breaches that hit the Utah Department of Health (UDH), Emory Healthcare and South Carolina’s Department of Health and Human Services accounted for nearly 1.1 million records lost.

And it was the work of insiders.

According to an article entitled “Healthcare Unable to Keep Up with Insider Threats” by Ericka Chickowski on the Dark Reading website, the three incidents are typical of “the types of consequences healthcare organizations face when they fail to address insider threats through improved employee screening, monitoring, data controls, and security awareness training.”.

These insider threats were and are potentially malicious and at the very least inept. In the case of the UDH, records were exposed due to the misconfiguration of a server containing the files. At Emory, human error accounted for the loss of a significant number of patient records when 10 backup disks went missing. In South Carolina, a DHHS employee (who has since been fired and arrested) sent thousands of Medicaid patient records to himself in an email.

The healthcare industry, by and large, “has been notoriously incapable of pinpointing risks in general, let alone those from insiders,” the article offers. Sourcing the problem is difficult because these security holes include loss or theft of portable devices such as laptops, smartphones, external drives and backup tapes; actual theft by data thieves; and simple staff ignorance in terms of security, protocol and training.

With solutions available today, those institutions could easily tell the difference between intentional and non-intentional privacy violations, achieve full regulatory compliance, and pass any audit with real-time user activity log files. As the “insider threat” continues to grow right along with the healthcare industry, major steps will need to be taken to stanch the flow of lost and misappropriated records that can and will lead to increased fraud and identity theft. The time to act is now.

To learn more about Attachmate’s Luminet enterprise fraud management software please visit http://www.attachmate.com/Products/efm/luminet/luminet.htm.

Recently, on the heels of the ISSA International Conference, noted authority Michael Angelo raised the question of ethics in security. It is a topic that comes up from time to time and never ceases to fascinate me. In his recent blog posting, Michael writes “Ethics is a particularly interesting topic as the security industry is always concerned about addressing issues in a constantly changing environment. It is easy to follow a set of ethics if the environment is consistent, however if the environment changes will those ethics still apply or do they need to evolve?”

Over the years, we’ve seen huge shifts in the issue of ethics and security. The spectrum of recent dialog ranges from securing end points and the interests of enterprise all the way to hacktivism. The core tenants of privacy, security and personal responsibility are all represented in the current debate. I was heartened to see the diversity of opinion expressed by our community. It shows that we are examining critical issues, considering the implications of choice and the why of new technologies rather than mindlessly favoring the technical possibilities

Michael concludes his article by stating, “In the 70’s corporate and professional ethics demanded secrecy around all aspects of security. The corporate and professional ethics from the 70’s have gradually evolved to enable us to disclose information and work together on solutions so that we can not only survive but we can innovate and surpass our individual boundaries. In the end it is important to remember that while our environments are evolving we must re-examine our ethics and see if they also need to evolve.” I, for one, whole heartedly agree.

Here are some other positions on the issues of ethics in security:

ISACA: Auditors Ethics for Continuous Monitoring and Continuous Auditing: http://www.isaca.org/Journal/Past-Issues/2008/Volume-3/Pages/Auditor-Ethics-for-Continuous-Auditing-and-Continuous-Monitoring1.aspx

SANS: The Legal System and Ethics in Information Security: http://www.sans.org/reading_room/whitepapers/legal/legal-system-ethics-information-security_54

Dell SecureWorks: Crossing the Line: Ethics for the Security

http://www.secureworks.com/research/articles/other articles/ethics/