Most information in organizations is now created, managed, and stored electronically, which has caused an increase in the rate of computer-related criminal activity. There are four situations in which a computer device may be involved in a crime: when the computer is (1) the target of the crime, (2) the medium through which the crime is committed, (3) incidental to the commission of the crime, or (4) a combination of the previous three
Even law enforcement organizations are not immune to computer security issues, as evidenced by a recent breach within a U.S. Metropolitan Police Department . A civilian employee of the department, we will call her Martha, recently pled guilty to two counts of obtaining information from a protected computer for a fraudulent purpose. Martha used her position as a community service officer to access databases, including the National Crime Information Center (NCIC) computerized index, which contained the personally identifiable information (PII) of millions of individuals. Martha obtained PII on at least ten occasions between 2009 and 2014, then provided that information to a friend, whom we will call Sally. Sally used the PII to file fraudulent federal income tax returns and erroneously claim tax refunds. Once Sally received the refunds, she and Martha shared the proceeds. Sally pled guilty in a separate case, and was sentenced to twelve years in federal prison. Martha was recently sentenced to two years in prison and she must pay restitution of $166,026.
This breach event is an example of an employee using her authorized access to obtain protected data for personal use. This type of computer fraud can be difficult to detect because the employee accesses the protected information in the normal course of their job. One way to detect this type of misuse is to review logs of the employee’s computer activity. Some red flags to look for are: (1) is information accessed during a time the employee should not be working (i.e. before/after hours), (2) is information being printed, emailed, or saved to a flash drive (i.e. becoming portable), or (3) is information accessed excessively related to other employees in the same position?
Because most information in organizations is created, managed, and stored electronically, companies are more vulnerable to cyber-crime and may require a reevaluation of internal controls around electronic data. Security breaches can be very costly to an organization, not only in lost data but also to a company’s goodwill. In addition, securing data is not just a matter of taking measures within the IT system such as encryption. It also includes physical security, proper screening of potential employees, adequate training and supervision of current staff, and development of preventative, detective, and corrective measures. Security must be an organization wide priority, so it is vital that management is involved in every step of the process.
By Shyla A. Ingram, MSA