Companies in the finance industry have to look out for a range of insider threats and insider fraud situations, for a number of reasons. There are particular liabilities in play for businesses that deal with financial data. These businesses and institutions are also governed by tighter compliance regulations. Finally, certain types of situations tend to crop up in this industry, where employees or former employees, through their normal system access, can do many things that are damaging to a company’s network.
Types of Insider Threats Facing Finance
Many of the insider threats in this sector fall into one or more of these categories: insider fraud, IP theft, or sabotage. These three labels address the nature of the attack itself, and the intent and goals of the hackers. Sometimes the attack is based on stealing data – other times, for instance, it’s more about crippling the network. Here are some details on each of these categories.
Insider Fraud
Insider fraud attacks happen when existing employees use their access to commit various kinds of financial fraud. Again, because the financial data deals with money, there may be a particular financial incentive for someone to do these things. An employee typically has certain network access, identity assets and account standing that they could use to jeopardize company assets, or to affect the network negatively in some other way.
IP Theft
Intellectual property theft occurs when someone is able to get into the network, secure the data, and remove it. This includes the kinds of attacks that can often happen during off-boarding, where a departing employee, contractor or temp is able to take a parting shot by removing sensitive data.
Sabotage
These types of insider threats often have to do with disgruntled employees with malicious intent. Some of them may not have a financial incentive or even target valuable financial information. They may be more aimed at disrupting business, compromising system integrity and interfering with network activity.
Sabotage threats may have social engineering components, or may represent a lone individual hacking into a system to do damage.
A study from Carnegie Mellon’s Software Engineering Institute (and promoted on a related blog) shows some interesting numbers on these types and categories of insider threats in finance, finding, for example, that:
- More than 75% of surveyed threats took place in banks and credit unions, as opposed to insurance companies or other finance business environments
- Almost half of attackers identified in insider threats in the sector had worked for the employing company for five years or more at the time of the attack
- Nearly all cases (above 95%) involved insiders attacking or working on attacks during work hours
- About one third of attackers utilized a “fraudulent asset” to affect their attacks: about a quarter of them used an alias
All of this illuminates what’s most common in these types of cases.
Regulations Governing Finance
Some of these regulations impact how businesses work to guard data and protect systems.
Gramm-Leach-Bliley Act
Many people know this financial legislation for its partial repeal of the Glass-Steagall rule that put a barrier between commercial banks and investment services, but GLBA also includes various specific safeguards for financial institutions to combat insider threats and insider fraud. The law is aimed at increasing and encouraging transparency by requiring financial institutions to explain their handling of non-public personal information (NPI) given to them by customers, and to prevent consumer data from being misused.
A privacy section of the act requires financial privacy notices to be sent to stakeholders.
Another component of the law requires a written insider threat plan, along with risk analysis for the company network. It sets of different data governance standards related to how data is:
· Collected
· Stored
· Used
And another component of the Gramm-Leach-Bliley Act has to do with limiting and restricting pre-texting attacks such as those that focus on social engineering, like phishing attacks.
Sarbanes-Oxley
The Sarbanes-Oxley (SOX) standard governing the financial industry was meant to protect consumers by creating reporting standards for companies.
SOX requires companies to make sure their financial statements are compliant, and to certify that finding in writing.
It requires companies to set up appropriate internal controls and reporting methods.
There are a lot of standards for data governance and record-keeping.
The same provision also spells out how to keep documents on file, both on paper and in digital formats.
PCI-DSS
This regulation has to do with the security of card data. It specifies the use of firewalls, antivirus tools and other resources to fight against the corruption or theft of card data.
The standard also requires companies to monitor access to the network in general.
Insider Threat Defenses in Finance
Many of the best strategies for insider threat defense in this industry involve various ways of monitoring users and identifying suspicious activity.
One common sort of insider threat in finance involves a slowly emerging attack, where malicious actors start out subtle, trying to remain under the radar as they steal money or account information or other data. The solution, then, involves digging into routine activity data and trying to figure out where an attack like this may be getting implemented.
User Activity Monitoring and UEBA
Companies can start out with simple tools for user activity monitoring, including event logging tools. UEBA or user entity behavior analytics goes several steps further – in this kind of approach, advanced algorithms and AI functions go deeper into behavioral data to reveal activity patterns then identify behavioral anomalies that signify risk.
As they go, they apply all sorts of intelligence to analyzing what’s happening anywhere in the network, with any user participant and in any part of the architecture. They seek out those warning signs and early clues that an insider attack may be happening at any stage. This establishes the critical protection of limiting dwell time for any attack that is building over a given time frame.
Companies can also utilize endpoint security to look at where data might be most vulnerable. In the old days, a lot of this was targeted at physical endpoints within company offices, like workstations. Companies were monitoring things like USB ports to make sure that employees or others didn’t abscond with important information by spilling it onto a flash drive.
Fast forward a few decades, and the threat environment looks a lot different. With the advent of ‘bring your own device’ and smartphones, companies found they had to look at remote endpoints to a much greater degree – trying to figure out what users were doing with mobile devices in the field, and whether an insider attack could take place that way.
There is another fundamental strategy that companies can use to try to keep tabs on insider threats and fraud.
It has to do with Identity and Access Management (IAM).
This technique starts with the principle that each user has his or her own specific identity and account status. Then all of the monitoring and logging is applied to each account status accordingly, so that nothing falls through the cracks.
However, from endpoint monitoring to IAM to other critical techniques, all of that can be consolidated in UEBA that really takes a granular look at every user session, for example, by aggregating more data and mining more intelligence from what happens inside a network day-to-day.
How to Beat Insider Fraud and Insider Threats
Notwithstanding the above approaches that protect digital systems in a comprehensive way, companies can also address the human side of business to put more of a damper on emerging insider threats.
Here are some of the best practices around this aspect of cybersecurity in finance:
Train Employees to Spot Insider Threats
This is where companies focus on the human side of black hat attacks, including insider threats and insider fraud. Social engineering includes things like spearphishing, where insiders or others are trying to dupe account holders into giving up something of value – for instance, sensitive financial data like credit card numbers, or access credentials that can be used to get other financial data.
So the training element hardens this part of the business – by making people more aware of what to do, and what not to do, to keep company data safe. Part of that can be related to the warning signs that so often pop up: for example, inside fraud perpetrators tend to have indicators in their personal background, such as financial need or feelings of resentment against a company. They might also present different behavior (suddenly coming in early or staying late, or always volunteering for projects that will expand their access) and employees are usually the first to notice things like this. Staff should be trained to identify these signs.
This is all the more important in finance, where other aspects of training can include items like SOX, GLBA and PCI-DSS compliance.
Use Behavior Analytics to Spot Insider Threat Behavior
This is something we already discussed above, where the more comprehensive behavior analytics cover more ground for companies really worried about insider threats and fraud. The data itself brings a level of protection that complements other proactive efforts. In finance, it can help to cover sensitive data areas, like card data, or customer financial data, that could otherwise be more vulnerable, with less related oversight.
Spotting the suspicious behavior takes knowledge of typical attack vectors: for instance, an insider threat often takes the ‘low and slow’ approach, building over time, so behavior analytics is particularly important for spotting those small changes in behavior that are indicative of threats or threat activity.
Audit Regularly to Minimize Chances of Insider Threats
There is the old saying that ‘two heads are better than one,’ and there’s also the value o f audits for compliance. Audits do several things for a company:
Audits show that the company is making an effort to be compliant with industry standards, and that leadership is vigilant about cybersecurity.
Audits also can turn up important clues that weren’t caught by in-house monitoring. They present the company as a leader in its field when they turn up positive results.
Beyond that, regular auditing helps to create an environment where it’s harder for insider threats to thrive, particularly in terms of internal fraudsters that plague the finance industry. Insider fraud happens when employees are able to take advantage of an unstable environment. Mergers between companies, for example, can become problematic or present vulnerabilities when workflows/workforces are changing.
Irregular or lazy audit practices and haphazard, unstandardized workflows are some examples of unstable environments in finance. Insider threats take advantage of these to attack, so creating and implementing regular, thorough audit practices help keep insider threats at bay, by stabilizing work environments and giving them less room to work with.
Final Thoughts
In this guide, we’ve seen how companies take a number of approaches to combat insider threats and insider fraud. We’ve seen how deep-level analytics tools like UEBA apply to many of these different types of strategies. Using these tools and putting these practices into place can help businesses in finance combat the onslaught of insider threat attacks that they face, and avoid costly noncompliance penalties.