Identifying Insider Threats at Financial Institutions During Remote Work

Renée Tarun – Deputy CISO and Vice President Information Security at Fortinet, discusses how financial institutions can identify threat vectors and address the growing threat landscape.

With a 47% increase in just two years, it has become clear that insider threats are a growing problem. It is a danger that no organization is immune to, and leaders are well aware of this: two-thirds of organizations consider insider threats to be a bigger problem than external attacks. And financial services companies are especially vulnerable because they are a natural target, primarily due to the fact that the types of data collected within these organizations – financial and personal – tend to have a high resale value on the black market.

Considering this, it is no surprise that the financial services industry experiences more breaches as a result of internal threats than other market sectors.

Understanding the Types of Insider Threats

Almost anyone can become an insider threat – all it takes is access to sensitive information, or simply access to the building where those resources are located, whether the individual works for the company or not. Former employees, consultants, board members, or current employees are good examples. So are janitors.

As for intention and circumstances surrounding a threat, there are three main types:

Accidental Insider Threat

The accidental insider can be personified in many forms. It could be the unwitting employee who clicks on a phishing email, unknowingly helping to spread malicious code around the network. It could be a manager who installs unauthorized software or uses Shadow IT. It may be the person who uses their birthday as a password or the one who writes their credentials down on a sticky note under their keyboard. It can even be a complacent IT staff member that misapplies a security patch, opens a back door to log into the network from home, misconfigures a network component, or forgets to change the default password on a company device. Or someone who simply forgets to lock a door or lets someone coat-tail them into the building.

In other words, accidental insider threats appear as a result of careless, and sometimes reckless behaviour that enables cybercriminals to achieve their goal.

Malicious Insider Threat

Malicious insiders, on the other hand, are not reckless, careless, or unwitting. They know exactly what they are doing, and they have a motive behind tampering with the network and stealing data. The disgruntled employee comes to mind, as well as those who are paid to infiltrate or use their position to do so. Some may be in a difficult financial situation, or have been tempted by a competitor with promises of a big payoff or a better job. Banks and other financial institutions are likely targets because that’s where the money is. Of course, some may also just be doing it for the thrill of it.

Remote Worker Threat

This is a newer category of insider. Remote workers have been around for decades, but when the number of employees working from home increases, so do the risks. In addition to connecting to the corporate network through a potentially non-secure home or public network, these employees may also be using personal devices that were not procured, configured, and secured by IT, further compounding the problem. There is also the danger that other users in the home might have access to the device.

Remote users that work in isolation are also more likely to fall victim to social engineering attacks because they cannot simply slide their chair over to a supervisor to ask whether something is legitimate or not. There is less oversight and fewer restrictions in a work-from-home environment, which, unfortunately, can lead to relaxed attitudes around security.

Back at headquarters, IT also faces challenges when it comes to the remote worker. External connections create more traffic logs and more event data that need to be reviewed, at a time when IT resources are already stretched too thin. Attacks can simply get lost in the noise.

Managing Insider Threat Risk

With more insider threats to worry about than ever before, what can the IT and security teams at financial services institutions do to manage the risk?

While managing traditional insider risk is probably already part of any financial services organization’s IT strategy, managing the sudden influx of remote workers may not. Addressing remote worker threats in financial services is challenging, but by taking certain steps the security teams can manage the risk. Here is a short checklist of actions that can help secure the remote workforce:

1. Secure Remote Access Connections: Encrypting data in motion is essential, which is why SSL and IPSec VPN should be used along with strong authentication when connecting remote users to the network and allowing them to access data. This also has to include inspecting encrypted traffic, as VPN tunnels can be just as easily used to transport malware and financial data undetected as it can be for legitimate traffic. This will require deploying a firewall designed to manage the scale and performance requirements such inspection requires.

2. Encrypt Data at Rest: All sensitive data, including that of which is stored on employee devices, should also be encrypted. If this is not feasible, remote workers should be prohibited from storing data on these devices.

3. Deploy Visibility and Access Control Technology: IT teams need all the help they can get when it comes to the visibility of users, devices, and applications on the network so they can control who and what applications have access. Network Access Control and Zero-touch Network Access are critical solutions to have in place.

4. Prioritize Endpoint Security: Endpoints are common attack vectors, which also means they must be regularly assessed for vulnerabilities and advanced threats. They must also have advanced security solutions installed, such as endpoint detection and response (EDR) solutions that offer real-time protection against malware and breaches. These solutions should also be combined with a holistic security framework that can automatically detect, respond to, and manage incidents, thereby protecting data, reducing system downtime, and ensuring business continuity.

5. Monitor for Unusual Activity: Leverage SIEM and SOAR technologies to monitor and alert on abnormal login attempts, large data transfers that cannot be explained, or other unusual behaviours.

6. Educate the Remote Workforce: Security policies specific to remote working should be conveyed to anyone who is working from home or other remote locations. This includes a focus on the awareness of social engineering attack methods such as phishing, smishing, and vishing.

Addressing Insider Threats is Vital to Business Continuity

Now more than ever, insider threats pose a serious risk to financial institutions, especially those that have transitioned to alternate work environments to ensure business continuity. While various security controls may have been put in place to keep out external cybercriminals, traditional methods of defense do not always consider the threats that already exist within the business environment. By understanding the types of insider threats that exist and following the six steps outlined above, organizations can better protect their networks, customers, and employees from new risks brought about by an expanded remote worker strategy.