Insider Threats to Financial Institutions: How to Set Up Protection You Can Bank On

Threatswitch Team
June 7, 2016

No matter the size, all financial institutions are at risk of harm at the hand of their own employees.

In a banking environment, your most valuable assets can no longer be sufficiently protected by spinning the dial on a vault. Money itself is only the tip of the iceberg in terms of assets that must be defended from theft or fraud; consider the value of all the bank's data, including customer account information, personnel data, audit reports, and other proprietary organizational data that could prove catastrophic if stolen and/or leaked publicly.

So how do you mitigate the risk of insider threat at your bank?

Step 1: Determine Your Most Valuable Assets and Prioritize Your Most Critical Insider Threat Risks

To protect everything is to protect nothing. Understanding where your most crucial value lies is key to structuring appropriate protective measures. Consider those assets that an adversary would most want in order to gain economic or information advantage. Go beyond the most obvious assets and think about the key elements, without which, you simply could not do business - such as online customer portals, ATM networks, even physical office space. Walking through a SIPOC exercise may help generate ideas.

Once you have a clear sense of your bank's "crown jewels", consider the consequences to the organization if these assets were compromised. This may range from a teller tapping into a customer's account to wire funds illicitly to a disgruntled IT employee shutting down your public-facing website. Use this thought process to prioritize the insider threat risks that are most critical to defend against.

Step 2: Identify Risk Indicators and Establish Monitoring Processes

Now that you have defined your bank's unique threat profile, the next step is to continually monitor your networks and other locations where your most valuable information resides. Keep an especially close eye on privileged users who tend to have the most access and could do the most damage. Enforce the doctrine of "least privilege" where possible -- by giving employees access only to that data they need to effectively carry out their jobs.

For example, say you have determined that the number one insider threat risk to your bank is the possibility of branch managers transferring funds out of customer accounts and then scrubbing transaction logs to obscure the evidence. You may identify a variety of leading indicators to flag a potential violation before it occurs. These could combine anomalous network activity indicators (accessing customer accounts outside of normal business hours, increased frequency of access or edits to transaction log) as well as more qualitative measures, such as observed distress at work or a personal event like divorce or bankruptcy. For each of your organization's top risks, ask your team, "What observable indicators would be present before this violation occurs?".

Step 3: Share Information Across The Organization

In the example above, an action that triggers just one of the analytic indicators is usually not enough information to act on. Your organization may be at the leading edge of data collection -- but if there is no structure in place to share and analyze patterns of behavior across functional areas, the data is meaningless.

Every organization should establish a structured Insider Threat Working Group made up of executives from different functional areas, including but not limited to Security, IT, Legal, HR, Administration. The Working Group should meet on a regular basis to share the latest indicator details, discuss emerging concerns, and work collaboratively to ensure the organizational security culture is maintained.

Keep Reading

Posts by Topic

Subscribe to our