How to overcome the Menace of Insider Threats in Financial Services

Ransomware operators and other threat actors are targeting the financial services industry more intensely than ever. The financial service sector has more robust cyber defences compared to other industries. But many companies in the sector have rogue insiders. Insider threats are internal users, such as employees or contractors with network access, who compromise critical data or allow entry to cyber attackers. Regardless of such a compromise occurring accidentally or on purpose, it renders most traditional cyber defences ineffective. All it takes to subvert the network is one moment of human error.

A 2020 Ponemon Institute 2020 Cost of Insider Threats: Global Study reports 4,716 insider attacks recorded across the globe. The cost of an insider incident almost doubled between 2019 and 2020, from $493,093 to $871,686.

Insider threats in financial services assume the following forms:

Fraud. The theft, modification, or destruction of data by an insider for personal gains. For instance, an unethical employee may wire transfer money to his offshore account.
Sabotage. Employees or others with legitimate access to the network may have a grouse against the company. Such rogue insiders may use their legitimate access to destroy company systems or steal data. At times, terminated employees continue to have access to enterprise networks, and they sabotage the network for revenge.
Intellectual property theft. In the high-stakes game of intellectual property, agents of competitors or even nation-states may infiltrate as employees or contractors. Such rogue insiders steal trade secrets and other intellectual property.
Harried employees. Working under tight deadlines, overworked employees may follow only some protocols or rules. They sometimes set up shadow IT, bypassing the IT team, to cut through red tape and get work done quickly. When such employees do not follow the laid down security protocol, they invariably create vulnerabilities that open the door for hackers. For instance, when an employee downloads an unapproved app or fails to update an app as recommended, the app may create vulnerabilities that cyber criminals exploit to penetrate the network. The shift to remote work has increased insider threats. When faced with tight deadlines and restrictive IT rules, staff may opt for unapproved apps or services, which expose financial institutions to greater risk.
Compromised employees. Cybercriminals often identify a company, target executives with access rights, and resort to blackmail or other forms of compulsion. A standard method is honey trapping, where criminals force employees to reveal access credentials or steal information themselves under threat of making public sleazy photos.
Rogue insiders need not syphon data or slip in malware to wreck damage. Financial service firms rely heavily on IT infrastructure to keep their systems running seamlessly for customers. Extended downtime can lead to lost revenue, missed opportunities, and loss of customer trust.

Here are the ways enterprises can remain safe from rogue insiders.

1. Streamline Access Management

Most rogue insider incidents happen because of poor network management that gives undeserving access to employees and other network users. Many enterprises do not have a documented access management system. Network admins grant access on an ad-hoc basis and soon forget about it. The perpetual state of chaos means access rights remain even when the employee quits or gets terminated.

Create access policies that follow the least privileged access. Have a documented system that specifies the access rights for each category or group of users.
Ensure the HR routes all terminations and relieves employees through the network admin team to revoke access rights. In case of terminations, revoke access rights first before informing the employee.
Conduct regular network audits, which include a review of access policies and rights. Involve the HR team in the process of updating the termination gap and setting the proper credentials given out erroneously. Such assessments also flag insider bad behaviours such as snooping. User access reviews also help a financial organisation meet SOX compliance.

2. Deploy real-time network monitoring

There is no alternative to continuous network monitoring to prevent insider threats. The latest AI-powered solutions

Monitor real-time traffic and alert anomalies in real-time. For instance, the tool issues an alert if users indulge in suspicious activities outside their typical work pattern. These tools combine data loss prevention and user behaviour analytics to reduce risk.
Accelerate incident response through automated rules.
Delivers robust audits. For instance, the tool captures endpoint activity to offer context of what happened before and after a violation. These insights determine if the act was malicious, negligent, or an external compromise.
Retain detailed audit trails of employee and third-party activity to meet financial compliance mandates.

A global insurance broker who deployed an insider threat management tool could detect the risky movement of claims data files from endpoints or corporate apps. The tool delivers a comprehensive audit trail, with screenshots and logs offering irrefutable evidence of suspicious activities.

3. Implement zero trust

Trust is the basis of the conventional approach to network security. The network assumes everyone inside is “good” and deploys defences against the “bad actors” lurking outside. Such an approach gives rogue insiders a free hand. A zero-trust approach sets right this shortcoming.

Adopt fine-grained controls and trust no user. Institute the same rules for internal and external users.
Make all access-controls time-based. Use time-based tokens that automatically log users out after a specified period of inactivity. Check and validate access constantly.
Deploy multi-factor authentication. Multi-factor authentication becomes especially useful to pinpoint the users who committed any action.
Improve key management
Insider threats happen when some users have high levels of access. Ensure a system of checks and balances to ensure no single employee has all the power. This is especially relevant in managing encryption keys.
Create a security framework where no single person has all the encryption keys.
Ensure the sysadmin with privileged access deploys obfuscation tools so that employees do not see the key and inadvertently compromise data.

Failure to safeguard keys can have huge security implications for enterprises. Recently, PostBank, the South African post office bank, suffered a loss of $8 million in replacing millions of bank cards after an internal employee copied the master key, thereby compromising customers’ bank data. The total damage for the bank exceeded a whopping $50 million.

There is no one-size-fits-all approach to managing insider threats. Each company has unique use cases. The nature and propensity of the threats depend primarily on the employee profile. Financial service providers who have gone through mergers and acquisitions often have high threat levels, considering many new employees get access to the broader network. As firms merge systems and personnel, gaps and overlaps in existing security frameworks create potential blind spots. Often such areas of vulnerability are overlooked as the focus of the It team is to make the merger successful. Likewise, companies that do not do extensive background checks on their broader vendor ecosystem face increased risks of insider threats.

Andre Rodrigues

As a software and IT solutions advisor, Andre leads a team of technology consultants for implementing Account-based Marketing strategies to IT customers. In his 30 years of working experience, across the region, Andre has helped numerous clients improve existing business systems and IT infrastructure. This experience has helped Andre secure a unique knowledge and understanding of the challenges faced by these sectors.