As a community bank, you rely heavily on your employees to connect with your customers. But this reliance can become a problem when the same employees become potential security threats.
By Karen Epper Hoffman
It is often said that the chief security threat in any organization is not any particular application or security procedure. It’s what sits between the chair and the keyboard: the human employee.
Sometimes, it’s because the employee is a maladjusted or malicious insider, bent on wreaking havoc. But most often it is an innocent user who clicks mistakenly on a fraudulent attachment or responds to a seemingly legitimate request for a wire transfer.
“We are seeing old-fashioned fraud committed through cyber tools,” says Thomas J. Curry, a partner and a co-leader of the banking and financial services group at Nutter McClennen & Fish LLP law firm, and the former U.S. comptroller of the currency. “It starts with good habits at home. If you have a child that leaves the door open, you expose yourself.”
With cases like Edward Snowden’s theft and disclosure of classified information in 2013 and Jun Xie’s exfiltration of roughly 2.4 million files from GE Healthcare’s secure network in 2014, the potential for insiders to misuse or steal data from their employer has come into the spotlight.
“Employees are one of the highest cybersecurity risks for small organizations, and phishing is the most common attack vector in the majority of cybersecurity incidents,” says Mark Weatherford, senior vice president and chief cybersecurity strategist for vArmour, and former deputy undersecretary for cybersecurity at the Department of Homeland Security. “People are typically helpful by nature, and in a service industry like finance, it is essential and necessary. This is what makes community banking employees susceptible to social engineering.”
Phishing specifically, and social engineering more broadly, allows attackers to assume trusted insider positions. Weatherford points out that this can give them access to everything those trusted insiders have available to them. This is what often results in cyber-enabled financial fraud. “While JP Morgan Chase & Co. can afford to spend $500 million each year on cybersecurity-related activities, including continuous employee training and security tools used to protect employees from themselves,” Weatherford says, “most community banks can’t expect to even get near that percentage of funding.”
With this in mind, it’s not surprising that less than one-third of IT security pros feel confident about identifying insider threats, with third-party and employee access their biggest concerns, according to a report by Atlanta-based identity and access management firm Bomgar. Also, a full three-quarters of respondents to Bomgar’s Privileged Access Threat Report 2018 have seen the number of vendors with access to their networks increase in the past year, and 33 percent believe they spend too little time monitoring third-party vendor access.
It is not necessarily the malicious employees who are doing the most harm. Research from Forrester shows that the greatest volume of security breaches (36 percent) comes from employees simply inadvertently misusing data.
“Community banks tend to distinguish themselves from large banks as closer to customers, and more friendly, which can be a bit at odds with security protocols,” says Seth P. Berman, a partner and leader of the privacy and data security practice group at Nutter McClennen & Fish LLP.
Security breaches that come from employees misusing data, according to Forrester
In 2015, 60 percent of breaches came through insiders, according to IBM. And that issue has only grown more prevalent. The EY Global Banking Outlook 2018 reports roughly nine out of 10 (89 percent) banks rank enhancing data security as a top priority for 2018. Oleg Kolesnikov, director of cybersecurity and threat research at Securonix, believes that in light of the recent series of banking compromises—including Moneytaker, Lazarus and others—insiders represent a “significant risk.”
Kolesnikov points to the $1.8 billion Society for Worldwide Interbank Financial Telecommunications (SWIFT) compromise at Punjab National Bank (PNB). In February 2018, two bank employees—a loan manager with a young subordinate—colluded with a loan recipient and misused their access to SWIFT to send more than 150 fraudulent letters of undertaking over a period of more than a year, exploiting a loophole in the internal controls (CBS) to avoid detection. (Based on publicly available details, there was no automated monitoring or security analytics in place. A lack of integration between SWIFT and CBS logs meant employees were required to manually log activity, effectively watching over themselves.) The activity went undetected for a significant period of time, and no Suspicious Transaction Report (STR) of First Information Report (FIR) was filed until nearly $2 billion was stolen.
“The risk from employees is very serious and very high regardless of the size of the bank,” says Sean Feeney, CEO of DefenseStorm. He adds that big money center banks “have thousands of people focused on cybersecurity and cyber fraud; a community bank cannot match that.” When it comes to threats from employees, the issue is particularly pronounced—70 percent of audits and investments show businesses have deficiencies in monitoring insider threat, and three-quarters (75 percent) of all insider threats go unnoticed, according to research from SANS.
Karen Epper Hoffman is a writer in Washington state.