In today’s digital age, the banking sector is constantly under the spotlight, facing various cyberattacks and breaches. While the media often highlights the dangers of external cyber-attacks, there’s an equally, if not more, menacing threat lurking in the shadows: insider threats.
For mid-sized banks, which often find themselves in the unique position of having to balance resource constraints with the need for robust security measures, the challenge is even more pronounced.
Let’s dive deep into understanding, identifying, and mitigating these threats while providing actionable insights and strategies for mid-sized bank CISOs to fortify their defenses.
Understanding the Insider Threat
Insider threats, whether intentional or unintentional, originate from individuals within the organization.
This includes current employees, former employees, contractors, business associates, or anyone with authorized access. With a deep understanding of the organization’s security practices, business strategies, and data, these insiders can pose significant risks.
A 2020 study by the Ponemon Institute highlighted the gravity of the situation, revealing that the average cost of insider-related incidents stood at a staggering $11.45 million, marking a 31% increase from just two years prior.
Such statistics underscore the financial and reputational implications of not addressing these threats head-on.
Types of Insider Threats in Mid-Sized Banks
While the term “insider threat” might seem singular, it encompasses a range of potential risks. Understanding these nuances is the first step towards crafting an effective defense strategy.
1. Fraud/Corruption/Organized Crime: Bank insiders, with their privileged access, can manipulate accounts, leading to significant financial losses. The 2016 Wells Fargo scandal serves as a stark reminder of the potential fallout, where employees created millions of unauthorized accounts, tarnishing the bank’s reputation.
2. Espionage: The banking sector, with its wealth of data, is a prime target for corporate espionage. An example could be an employee might be working for a competitor or a foreign entity and can gather intelligence or business secrets. The 2018 case of a major bank’s employee selling customer data to a competitor underscores the real threat of corporate espionage.
3. Sabotage: Disgruntled employees can damage the bank’s data, infrastructure, or reputation. The 2013 incident involving a UK-based bank’s IT worker who deleted crucial data, causing a massive service outage, is a testament to the potential damage insiders can inflict.
4. Data Theft: Bank employees have access to critical financial data, personal data, and intellectual property. They can exploit this access for personal gain, either by stealing the data for themselves or by selling it to third parties. The 2017 Equifax breach, which exposed the data of 147 million people, was traced back to a single employee’s negligence, highlighting the vulnerabilities even large institutions face.
5. Unintentional Threats: Often overlooked, these occur due to negligence, such as failing to follow security protocols or accidentally disclosing sensitive information. These threats can also be the result from simple human errors. A 2019 report indicated that nearly a quarter of breaches were attributed to such mistakes.
Reasons Behind the Rise of Insider Threats
The rise in insider threats isn’t coincidental. Several factors contribute to this uptrend, and understanding them can help banks devise effective countermeasures.
- Complex IT infrastructure: As mid-sized banks embrace digital transformation, they become dependent on complex systems, which, when not understood well by employees, can lead to accidental or intentional breaches.
- Increased reliance on third-party vendors: The interconnected nature of today’s business world means banks often rely on third-party vendors. However, this interconnectedness can be a double-edged sword. The 2013 Target breach, which affected 41 million customers, was traced back to an HVAC vendor, emphasizing the risks associated with third-party relationships. External partners might not have the same stringent security protocols increasing vulnerability. Additionally, a weak third party vendor management system can miss vendor security compliance gaps and lead to unforeseen consequences.
- Lack of employee training: Many banks fail to regularly train their employees on the evolving nature of cyber threats. Most employees adopt a casual outlook towards cyber security over the years and fall victim to social engineering and scams. A 2021 survey revealed that a significant portion of employees were unsure about their organization’s security protocols.
- Economic motivations: Economic downturns or personal financial crises can be a major driver for employees to misuse their insider position. The 2008 economic downturn, for instance, saw a noticeable spike in insider fraud cases.
Join Thousands of Weekly Readers
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
A Three-Pronged Approach to Mitigating Insider Threats
At BluOcean, we look at mitigation through three dimensions – securing your business critical assets through personnel, policies and process, and technology controls, ensuring that insider threats are addressed to the maximum potential of an organization’s capability.
Identifying the assets critical to business operations or High Value Assets (HVA) is the first step on the journey to mitigating insider threats. Evaluating the risk for each critical asset and understanding the business impact of an insider threat materializing gives banks quantifiable guidance about the level of controls, processes, and technology that is required to secure assets.
1. Process / Policy / Plans
Regular Audits: Periodic and random security audits of transactions and system accesses can help in identifying potential weak points in the system.
Whistleblower Policies: Encourage employees to report suspicious activities without the fear of retaliation.
Incident Response Plans: Even with the best precautions, breaches can occur. An effective incident response plan and trained incident response team can minimize the damage.
Collaboration through intelligence sharing: Banks should collaborate with other banks, external organizations, industry groups, and government agencies through trusted channels and share information about threats, best practices, and the latest tactics and techniques used by malicious insiders.
Risk Assessments and Process Risk Assessments: Regular enterprise risk assessments and process risk assessments of critical business processes ensure that organizations KNOW what they need to protect the most to keep their business operations running and growing.
User Behavior Analytics Tools (UBA): Most insider attacks often fly below the radar of conventional cybersecurity solutions such as firewalls, intrusion detection systems and antimalware software. Banks today can utilize UBA tools to monitor typical user behavior and ensure minimum false positives.
UBA tools work by creating a baseline of normal behavior for each individual user and device, as well as for job function and job title. These systems collate user activity information from access, authentication, account change, endpoint and virtual private network (VPN) logs and use this data to assign risk scores to user behavior tied to specific events. With this baseline, anomalies can be flagged and investigated. UBA tools can detect unusual patterns and anomalies (for example, attempts to circumvent security, regularly working off-hours) which might indicate malicious activities.
Another popular method uses cyber deception solutions that establish honeypots to draw in malicious insiders, track their actions and understand their intentions. This information is then fed into other enterprise security solutions to identify or prevent current or future attacks.
Access Management: Implement strict access controls ensuring employees only have access to information necessary for their roles. Require multiple forms of identification before allowing access to sensitive systems or data. Certain critical functions, like transferring large sums of money, should require authorization from two or more individuals (dual-control).
Role-based Access Control (RBAC) should be implemented based on job responsibilities and employees should be given access only to the information necessary for their specific roles. Periodically shifting job roles, especially in sensitive areas, can prevent long-term undetected insider threats.
Regular Training: Employees need to be educated on the importance of cybersecurity, how to recognize and report potential threats, and the consequences of insider attacks. Promoting a security-aware cultural change is key to ensuring your first line of defense i.e. your employees are in line with organization’s security expectations.
Regular Background Checks: Especially for those in sensitive positions, regularly updating background checks to identify potential risks.
Exit Strategy: Ensuring that when employees leave, whether they resign or are terminated, they no longer have access to any bank systems or data.
Smart Collaboration: Cross-functional teams should be established that include representatives from IT, HR, legal, and security departments. Collaborating closely with these departments when investigating and addressing insider threats, involving both technology and human expertise, organizations can enhance their ability to detect and respond to insider threats .
The banking sector, with its vast repositories of sensitive data, will always be a prime target for both external and internal threats. While external threats often make the headlines, it’s the silent, insidious nature of insider threats that can prove even more damaging.
However, with a proactive approach, with right mix of technology, policies, training, and culture, banks can significantly reduce the risks posed by insider threats and ensure the security and trust of their customers.
Written by: Priti Patil & Katie Reilly