The accidental insider threat, a spike in friendly fraud, and the post-pandemic side security industry. These stories and more in this week's Eyes on Security Report. Hello, I'm Nick Holland. The trifecta of a remote workforce, financial insecurity, and the COVID-19 pandemic is a perfect storm for insider threats to escalate.
What may have been highly trustworthy employees may be pushed to the brink of intentionally damaging acts such as exfiltration of confidential data, intellectual property theft, and fraud. However, a high degree of insider threat is a result of plain old-fashioned human error, and it's a golden age for business email compromise, spearfishing, and a whole host of other social engineering attacks. This week, Eyes on Security's SVP of Editorials, Tom Field, had the chance to interview Randy Trezak, the insider threat research team technical lead in the Software Engineering Institute at Carnegie Mellon's University's CERT. If you've ever been to an Eyes on Security Summit, there's a good chance you've had the opportunity to experience Randy's encyclopedic knowledge on the insider threat, and in this excerpt of the interview, Randy gives his advice on the perils of the accidental threat of the work from home in UB.
Here he is. The vast majority of your employees will not go on to maliciously cause harm against your organization. When you build that insider risk program, you want to avoid the perception of distrusting everybody. Building a program where we're trying to catch people doing something, so the vast majority of organizations will not be impacted by malicious insider incidents.
Therefore, focusing on the accidental, the non-religious is equally important, because when an organization, there really isn't in step one or two an incident response, the motivations, considerations, it's recovering from insider causing harm, so the accidental insider, someone who, as you described, gets that email that appears to be from the organization that they click on, for example, your next year's benefit package, or maybe the new virtual private network policy that appears to be coming from the IT department that entices someone to click on that link that could cause an external adversary to get into the organization's boundaries, the critical protections that you're trying to implement for security purposes. And also think about the stress as well, the stress of the employees, of the financial situations. Maybe again, they're trying to balance the work that they're doing from home, but also the home life as well, the people that have children at home now that they're basically caring for as well. Think about elderly parents that people are trying to accommodate as well.
Think about the life stresses that could be influencing as someone's working from home, their ability to fully focus on what the mission of the organization is. So it's now even more important that we have that defense-in-depth strategy in place. Ways by which that if someone does click on that phishing email, there's a secondary defense control that would not allow that executable to run that would install something on a computer that the employee is using. And also think about employees trying to do their job.
Most of them have best intent. What if they connect that external USB device? What if they're using their own personal laptop to connect to the organization as well? Maybe the same security controls aren't in place as well.
So it's a contingent upon the IT part of the organization to implement the defense in depth that could prevent, hopefully, the accidental, non-religious insight from causing fun as well. You're listening to the ISMG Security Report on ISMG Radio, ISMG, your number one source for information security news. The COVID-19 pandemic continues to transform the way we are living our lives and in no area is this more apparent than our weekly shopping habits. We're buying more online and with high average ticket prices according to new research from ACI Worldwide that compares transaction data from March 2020 to March 2019.
What this has meant is also an increase in payment fraud with increased chargebacks of credit and debit transactions and a noticeable rise in what is known as friendly fraud. Most work with Herrick Edetrick, ACI Worldwide's Data Lead, about the research findings and asked her to explain the friendly fraud stats. Here she is. Right.
Yeah. So we do obtain a number of fraudulent different data sources. One of that is issue alert which comes typically anywhere from a couple hours to three days after the transaction is authorized or settled or charged back then on average to take about 30 days across us. We also have access to underground internet really chat channels or individuals are selling personal goods credit cards and things of that nature.
So those are some of our data sources. And what those data sources have told us is that fraud is not going anywhere, fraud is pretty steady in comparison to 2019 to 2020. Like I said, the average ticket price has increased slightly but what we've seen is a slight increase in friendly fraud chargebacks and what a friendly fraud chargeback is where the consumer is making a fraudulent chargeback thing most often. I did not say this purchase and we're seeing it on some accounts that have had long standing purchasing history.
They're on the same device. They're on the same account. There's no changes to those accounts. A number of these have been at airlines, hotels as well as concerts that were going on around March timeframe and we believe this has been a result of COVID-19.
Now it could be that maybe a device was taken over, sure, but the number and the rate of which we saw the slightly increased above 2019 already is telling us that we are seeing a slight increase in friendly fraud chargebacks. And finally, it may seem like ever moving gold posts in terms of the returns of business as usual but this will eventually happen. The question being what will the cybersecurity industry look like on the other side? Tom Fields spoke with Hank Thomas of strategic cyber ventures on how our industry is poised to emerge from this crisis.
He's Hank's perspective. Well, today I see a lot of people are kind of taking a wait and see approach just how long this is going to last, but I think this is going to be a very resilient sector after the crisis. I think we're going to, if the crisis were to last through the summer, I think you would see cybersecurity come back very quickly in areas where maybe it's taken a hit already, but I think most people take the broader security sector outside of cyber. Most people view, take a step back and look at this.
This was maybe just, this might sound a little terrible, but this was maybe just a really good dress rehearsal for what the actual big one could look like. Right now, COVID-19 can't swim more than eight feet, and that's if it's got a push to get there, whereas there are other threats out there that can do that, and particularly in cyber where you have threat actors that can swim a lot further than eight feet or six feet or whatever, they could theoretically cause a lot more destruction than what we've seen via this pandemic as bad as it's been. I think we're going to see a better mix of products and services coming out of this right now. There's still very much this.
There's a product side of the house and there's a services side of the house. It's already kind of what's happening with MSSPs and other managed security providers where they're taking a human-centric approach and combining with best and pretty technology for people that sort of want to outsource a lot of these things. I think you're going to have people sort of re-look how they wrap services around products because it's clear that in this day and age, especially if you're in a remote-type environment like this, you're going to quickly need to rely on a security workforce that's somewhere else, which are also going to have to rely on deploying and maintaining the products in your security stack, and those two have to be better combined and attached to each other. That's it for this week's Ice and Security Report.
Thing music is by Ethicalio. I'm Nick Collins. Catch you next time.