Insider at Cal Water steals $9M and runs


It is also unusual for an auditor to have access to a funds transfer system in the manner that Abdi appears to have, Cleary said. According to the court documents, Abdi used two different password protected computers, located in two separate buildings, to initiate and confirm the money transfers. It is unclear from the court documents whether Abdi stole the passwords to the computers, or if he had some kind of legitimate access to the systems.

However, a well implemented access control system would have allowed the utility to grant access to applications based only on need and it would have been able to monitor, track and log that usage, Cleary said. "The business risk from insider access that is inappropriate or misused is very real and can create serious operation impacts," Cleary said. "This problem is very pervasive within organizations as they don't have the visibility and control over user access."

One big challenge companies face with insider threats is achieving the right balance of controls, said John Pescatore, an analyst with Gartner Inc. "Any security approach that falsely blocks legitimate user action will quickly be turned off," Pescatore said. "If insider actions are legitimate 99.9% of the time and some insider threat detection systems is 90% accurate then for every 10,000 user actions there will be 10 malicious activities but there will be 1,000 alarms," out of which 991 are false alarms, he said.

From a business perspective, such a security control "is often worse than the problem," Pescatore said.

Cal Water spokeswoman Shannon Dean said the utility couldn't discuss the case in detail because of the ongoing investigation. But she said it is because the company had the appropriate financial controls in place that the fraud was detected and the wire transfers intercepted before any funds were lost.