LONDON (Reuters) - Dutch Bank ABN-AMRO considered sending undercover security staff amid employees to help improve cyber security but has decided not to follow this practice, officials said.
As the risk of cyber attacks increase, many banks are developing more sophisticated ways to prevent security lapses.
In particular, they want to understand the reasons for unintentional compliance failures, such as clicking on “phishing” emails that carry viruses or giving out confidential information by phone.
ABN-AMRO Chief Information Security Officer Martijn Dekker said in September he was looking at sending staff undercover to observe employees’ security practices.
“We’ve been looking at indeed maybe (if) we can have someone in a department, work there as an intern for say, two months, and to really see what type of culture is there,” Dekker told a conference.
Dekker and a spokeswoman for the bank said last week that they were not examining the option. Dekker did not say why he had dropped the possibility. The spokeswoman said it was not “seriously” considered.
But Dekker said they were looking at other ways to examine behavior.
For example, his team is increasingly hiring people with philosophy and music backgrounds. He said such people were better at spotting and understanding staff’s behavioral habits than the technical people he used to mostly hire.
The idea, Dekker said last week, was to use the observations his team gleans to redesign systems so that when employees are presented with a decision “the easy choice is the secure choice”.
There was a stark reminder of security risks this week when Tesco Plc’s banking arm said hackers stole 2.5 million pounds from 9,000 customers in what cyber experts said was the first theft by a mass hacking of accounts at a western bank.
“Sometimes a team leader will ask us to sit in on their team meeting and then people know about this, why this person is here, and sometimes it’s undercover but usually it’s quite open,” Dekker added on the sidelines of the conference.
ABN has offices all over the world. Ben Willmott, Head of Public Policy at the Chartered Institute of Personnel and Development said covertly monitoring employees may be against the law in some countries, such as the United Kingdom.
However, Rob Zwanenberg a lawyer with Smart Advocaten in Eindhoven, said it would be permitted in the Netherlands.
Three cyber security experts Reuters interviewed said they thought spying on staff would be unethical and an ineffective way to coax staff into changing their behavior.
“I haven’t heard of ‘undercover’ type engagements getting much traction, mostly because of the ...cultural effects of a ‘Big Brother’ type environment,” said Benjamin Caudill, Founder of Rhino Security Labs.
Reporting by Tom Bergin; editing by John Stonestreet