In the current environment, with so many bank employees still working remotely and many disgruntled over being short-staffed or fearing job loss, it is little surprise that insider threats to financial service institutions’ security has crept upward in the past two years.
Since the beginning of the pandemic, the combined stresses of working from home, helping government agencies administer the CARES Act and the Paycheck Protection Program, and being forced to handle the workload of an unprecedented jump in mortgage deals due to low interest rates has caused many a bank employee to be more careless and open to compromise. Worse yet, this environment has encouraged more staffers to engage in malicious activity. Even a year ago, the pandemic’s toll on bank workers’ mental health was raising the alarm of greater insider threats, according to S&P Global Market Intelligence.
Across sectors, insider threats have risen in the past couple of years. Seven out of 10 organizations in general report insider attacks becoming more frequent, according to a report by Cybersecurity Insiders. While the 2021 Verizon Data Breach Investigations Report (DBIR) highlighted that external threat actors still outpace internal ones, insiders now account for 39% of data breaches, said Michael Welch, managing director, MorganFranklin Consulting. “And it is essential to understand that no industry is immune.”
Patrick Sweeney, CEO and president for Area 1 Security, pointed out that while active incursions that involved employees working on the inside may be easier to spot, “it is the 'passive' actions that open the door to massive problems. And these 'passive' actions are difficult to predict, identify, or to prosecute.” He compared these so-called “passive” threat incidents to an employee leaving a secure door open in the physical world, and can include employees choosing to ignore security measures and processes, creating a vector for attack.
“Most critically, the most common vector for cybersecurity attacks is email,” Sweeney said, adding that 95% of insider attacks still start with phishing. "Employees start to click on solicitous or risky emails and in so doing, open the gates for credential theft, ransomware, and business email compromise fraud.”
As the line between work and home becomes more blurred, it is easy to see how more employees might receive personal email or click on questionable links, even from their work account.
Protecting against insider threats requires solutions that differentiate between legitimate use and malicious intent, according to Welch. “This need is even more important with a remote workforce,” he added. “Working from home provides a greater opportunity for an insider to extract information [and makes it] difficult for security teams to identify and investigate issues from afar.”
But weeding out remote insider risk, never mind differentiating malicious from negligent, is easier said than done, especially with a hodge-podge of hybrid work environments.
Andrew Howard, CEO for Kudelski Security, said that insider threats are notoriously difficult to detect, as the insider “typically has immense knowledge of the systems and security precautions in place. Additionally, the most reliable techniques to find insiders — intense monitoring of computer usage — often requires significant invasions of privacy.”
While the task at hand is becoming increasingly difficult, experts said there are steps FSIs and their providers can take to hone in on potential inside threats. In his experience, Howard said that the most “tell-tale sign ... is unusual work activity, such as regularly accessing files not necessary to complete their job, coupled with a motivation driven by severe disagreement with company policies or activities. Unfortunately, this can be difficult to detect.”
According to ObserveIT, more than half (55%) of enterprises report that their greatest internal risk comes from privileged users — usually from those users accidentally revealing administrative data or high-level access. Hence, Sweeney suggested a good place to start in limiting insider intrusion is “applying zero trust at the point where your own infrastructure and control begins: email. This extends to employees, as well as everyone you interact with — also known as your organization’s social graph.”
“Think of each interaction as a microsegment in the zero-trust world that must be authenticated,” Sweeney said. “There should be no implied trust between employees or partners, since anyone could be compromised, at any time.”
Also, never underestimate the capacity for even the most trustworthy employee to make a careless mistake under the yoke of pandemic woes, loneliness and general malaise.
“The Verizon [DBIR] also highlights that while financial gain can motivate insiders, the broader range of reasons for these acts includes boredom and curiosity, working around security controls to make a task more convenient, or holding a grudge and seeking revenge," said Welch.