* The Consequences of Obstruction
Should we work with law enforcement when we encounter security breaches?
Michael Meline, MSIA, CISSP, CFE, CEH is a former United States Marine and a former Yuma County, Arizona Deputy Sheriff. In today’s column and the next, he presents an excellent case study centered on a credit union that he used in his master’s degree research at Norwich University. Everything that follows is entirely Mr Meline’s work with minor edits.
* * *
Some security experts think that law enforcement will leak the incident to the press and that the negative publicity will harm the organization. In the 2005 Computer Security Institute Annual Survey by Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Robert Richardson, the authors point out that “The percentage of organizations reporting computer intrusions to law enforcement has continued its multi-year decline. The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity.”[p 2 in report / p 3 in PDF]
Figure 22 in the 2005 CSI report shows that the fear of negative publicity was mentioned by 43% of the 423 respondents. The other factors mentioned were as follows:
• Competitors will use the data for unfair competitive advantage (33%).
• Civil remedy seemed the best course of action (16%).
• Victimized organizations were unaware that law enforcement would be interested (16%).
My case study illustrates the importance of reporting crimes and working closely with law enforcement and it involved me personally when I was a law enforcement officer. To make the case more usable in teaching and for security awareness, the rest of the description will be in the third person.
The case began when an 80-year-old woman reported to a law enforcement officer (LEO) that an unknown person had taken more than $100,000 from her bank account. The victim stated that she had the money in her account one day, and the following day it was missing. She had not reported the missing money to the bank, just to the LEO.
The LEO went to the bank to investigate the case and was immediately met with resistance. The manager came in and stated that he would just refund the money and that an investigation would not be necessary. He stated that the bank could not stand the negative impact that the case would have on the bank’s reputation. The LEO demanded that the manager of the bank cooperate in the investigation and told the manager that the person responsible would be held accountable for the crimes. After considerable obstruction, the bank finally assisted the officer in the investigation.
As it turned out, the teller who had her workstation next to the controls for the entire camera system was the culprit. She had a friend who had worked for the victim and who had stolen checks from the woman. When this friend arrived at the bank, the teller turned off the cameras and cashed several checks as if the victim had come in herself, even writing the victim’s driver’s license number onto the checks. The two women who were responsible were both arrested.
When interviewed, the teller stated that she had done this countless times in the past and that the bank had simply refunded the money with no real investigation. She stated that the bank had no professionals in place to prevent such an occurrence. She also stated that employees frequently committed crimes because they knew they would not be caught. It was determined that the bank had taken a great many losses. When the bank’s Board of Supervisors found out about this pattern, the manager was fired.
In the second of this two-part series, Michael Meline concludes with a description of how he improved security at a Credit Union where he was hired as security manager.
Michael Meline, MSIA, CISSP, CFE, CEH is president of ArizonaFIRST Coalition, which is dedicated to enhancing “the ability of member institutions to respond and recover from incidents affecting the financial sector by fostering partnerships and collaboration between public sector agencies, public utilities, service providers, volunteer agencies and infrastructure providers.” The organization’s Web site has a number of valuable links for emergency preparedness on its home page. In addition, Meline serves as Steering Committee Chairman at the Community Justice Boards of the Greater Yuma Area and is a member of InfraGard. He welcomes your comments.
* * *
Join me online for three courses in October and November 2009 under the auspices of Security University. We will be meeting via conference call on Saturdays and Sundays for six hours each day and then for three hours in the evenings of Monday through Thursday. The courses are “Introduction to IA for Non-Technical Managers,” “Management of IA,” and “Cyberlaw for IA Professionals“. Each course will have the lectures and discussions recorded and available for download – and there will be a dedicated discussion group online for participants to discuss points and questions. See you online!




