Every industry should be concerned with insider threats, but many executives must realize how pervasive the threat truly is. The 2022 Verizon Data Breach Investigations Report revealed that out of all reported data breaches, 26% were caused by malicious insiders, 56% by negligent insiders, and 18% by compromised insiders. Some quick arithmetic will show that makes up 100% of all breaches that can be traced back to insider actions at some level. The risk of insider threats cannot be overstated.
Many executives, senior management personnel, and even some security teams look at insider security risks solely from the perspective of a disgruntled employee or other malicious internal bad actor. Unfortunately, while that is the most commonly used definition of an insider threat, it isn't entirely accurate. For a small financial institution, that oversight can be devastating, especially considering that the cost of a data breach was last estimated to average just under $6 million per incident in 2022. There are many types of insider threats, and we'll define some pertinent terms for you to help flesh those out before providing you with some key tips on preventing insider threats at small banks.
Categories of Insider Threats
Taking the three defined terms straight from the Verizon Data Breach Investigations Report is a good place to start to give you a well-rounded view of the wide range of potential security risks posed by insider actions.
Malicious insiders are exactly what everyone typically thinks of when talking about insider threats in work environments; disgruntled employees or those falling victim to blackmail using their legitimate access privileges to exfiltrate sensitive data or personal information to bad actors intentionally. Alternatively, the sole motivation could be the destruction of systems or interruption of services that negatively affect business continuity.
On the other hand, negligent insiders are otherwise well-meaning employees that inadvertently expose the enterprise to security risks through their actions. Some examples are falling for phishing scams or other social engineering attacks, revealing sensitive information in a public forum or non-secure communication method, or even using unapproved third-party applications to accomplish daily tasks faster and thereby exposing sensitive data or network credentials.
The increase in remote work using personal devices or with ineffective monitoring of company-owned devices has resulted in a much wider attack surface. Third party apps risk comes from unknown developers with ulterior motives, applications with downright poor cybersecurity, and even failure to update apps to close known security threats. These can result in data breaches that can ravage small financial institutions.
The compromised insider's category comprises employees or vendors with legitimate access that has their credentials compromised through various means. This could result from a third-party vendor who suffered a data breach, which allows cybercriminals access to systems in your network, much like the massive Target data breach in 2013, or it could come from lost or stolen employee devices with stored credentials. The root of this category is that bad actors exploit authorized user accounts to conduct their illicit activity, which can make preventing these insider threats at small banks a real challenge with limited personnel on security teams.
Small Financial Institution Best Practices
There are several effective strategies that your security team can implement to assist in mitigating insider threats. These best practices provide proven methods of detecting, addressing, and preventing insider threats at small banks.
Harness Emerging Software
Profit margins are a driving concern everywhere, and the financial industry is no different. For that reason, you want to determine your path forward by selecting techniques that provide protection across multiple threat vectors. One of the areas in which you can affect all three major categories of insider threats is a cybersecurity monitoring program that harnesses behavior analytics. Tracking the patterns of your staff and vendors' access to systems provides a baseline for the program to determine when access outside those norms is worthy of escalation.
Suspicious behavior regarding access to systems outside of normal hours can indicate an insider trying to exfiltrate critical information without drawing attention to themselves, or it can show where cyber attackers are using credentials with legitimate access to perpetrate their crimes outside of standard user behaviors. Timely notifications of your security teams by programs such as these can reduce the dwell time of attackers, limit the scope of a data breach, or provide early warning of a disgruntled employee's potential intent.
Multifactor Authentication and Time-based Tokens
Multifactor authentication (MFA) is something we always recommend that you have in place. While it will not protect against the malicious staff member, defending against insider threats from negligent employees or compromised devices and accounts is much simpler when an attacker needs more than just a single login credential to provide access to systems and critical information.
Instead of a password and MFA check granting unlimited access until logout, users should be issued time-based tokens granting access until a predetermined period of inactivity forces a logout. This prevents bad actors from lurking within a user's account and only taking action once they think the user has become inactive but not logged out.
Principles of Least Access
One of the core principles of identity and access management is the principle of least access or least privilege. Suppose the privileges of each account are intentionally restricted to only the systems and sensitive information necessary to complete the duties of the employee or vendor. In that case, the potential scope of a data breach or damage caused by a disgruntled employee is substantially limited.
Foster A Culture of Security and Trust
From the top down, your enterprise must embrace a security culture and intentionally build trust with all personnel. This begins with the C-suite and must be continued through each successive management layer. Establishing a wholly anonymous reporting system is a primary focus, but this is meaningless unless every single tip is acted on. Trust is most firmly built when staff members of all levels feel comfortable reporting suspicious behavior or unusual activity without fear of reprisal or negative personal consequences.
That said, the investigation into an insider threat should be kept secret. Only your security team members tasked with investigating the incident should have the details, and this information must be closely held. This does not mean failing to provide meaningful information to your staff only that investigations remain confidential. Another way to foster trust is showing your employees the actions you have taken on their behalf and even the number of incidents that have been handled and resolved. This information can be delivered through town hall meetings or other enterprise-wide meetings, and it provides factual proof that you value the input you're receiving.
Remember, you selected and invested in your personnel because you believed they were the best people for the positions you placed them in, and they fit well in the company. The most powerful way to earn the loyalty of your staff is to make them feel valued and ensure they're contributing members of your team. An employee who feels appreciated is much less likely to become a threat, whether through overt, malicious actions or bypassing structured and intelligent cybersecurity procedures that they understand.
At Venture Lynk Risk Management, preventing insider threats at small banks is something that we take very seriously. As specialists focusing on high-risk industries like healthcare and financial services, we understand what it takes to provide service that is second to none. With customized and package options in vendor risk management, cybersecurity risk management, and even intellectual property risk, we offer solutions for nearly any circumstance your enterprise may face. Contact us today to see what we can put together for you.