COVID-19 is raising the risk of insider bank jobs

No financial institution is exempt from the occasional ‘malicious insider’, who, acting alone or with outside help, can do more damage than virtually any outside fraudster.

In addition to knowing where a bank’s most vital and sensitive information is stored, a maladjusted employee has the inside track to a bank’s weak spots. Hence, it’s not surprising that attacks from inside bad actors are the most costly and take the longest time to resolve.

“An attack by any trusted party, whether an employee, contractor, or trusted vendor has the potential to be devastating,” says Keith Monson, chief risk officer for Computer Services Inc., a Paducah, Ky.-based banking vendor. “If the right controls aren’t in place, these attacks can go on for a considerable amount of time, sometimes only being detected when the insider makes a mistake or gets too greedy.”

In the financial services sector, data breaches involving employees accounted for 36 percent of incidents, according to Verizon’s annual Data Breach Investigations Report (DBIR) for 2019, up from just 7 percent in the 2018 DBIR.

Many of these attacks are likely to involve negligent employees – those who make open a phishing attachment or have their credentials taken, rather than setting out to commit intentional harm. But personal or financial factors, or professional stressors including economic recession, layoffs and the pressures of COVID-19, may push some staff over the edge.

“Employee fraud tends to occur more often in turbulent times, when even good employees may face extremely difficult financial situations,” says Shirley Inscoe, senior analyst at the Aite Group. “This current pandemic is such a situation. If an employee’s spouse loses their income and funds are very tight, even a good employee could be tempted to steal if he or she feels they have nowhere else to turn.” Inscoe’s own research found that employee-related fraud incidents and losses are “up in quite a few financial institutions compared to two years ago.”

Mathieu Auger-Perreault, director of fraud and security at Javelin Strategy & Research, agrees that given the economic downturn and surge in remote workers, “we can expect an increase of insider cases.” He points out that pressure to commit a fraud increases when someone faces financial challenges, and the opportunity to commit fraud may increase with many companies scrambling to deal with moving their workforce remote “without the proper security controls.”

More access, more data, more opportunity

Security often tends to run contrary to convenience, and the convenience and cost savings of cloud platforms may also be making malicious attacks more viable, according to Shareth Ben, executive director for field engineering at Securonix, a cybersecurity vendor that works with five of the top 10 global financial services providers.

“With the adoption of cloud services…the perimeter is becoming more and more porous, which allows for easy data movement between on-premise infrastructure and the cloud,” Ben explains. “Some employees and contractors are misusing their cloud collaboration privileges [through] Box or Google Drive to move data off-premise,” as well as sending it by email to personal external accounts.

Another factor changing the face of the malicious insider threat: The exponential increase in data being collected and stored, as well as a rapidly growing number of access channels. “The more data we have, the more data we have to protect,” says Mike Morris, partner at Wipfli LLP. “The same is true for the increase in the types of devices being used – laptops, smartphones, tablets… We now have to protect all of those.”

It’s also important to note that not all employees are created equal. “There is more [insider] crime coming from the people who have ‘superpower’ rights and privileges,” including system administrators, cyber-tech experts and top executives, according to Victor Orlovski, managing partner of Fort Ross Ventures, a Menlo Park, Calif.-based venture capital firm, and former digital transformation executive for Russia’s Sberbank and Alfa Bank.

These employees have greater access to more valuable data, which more often factors into insider incidents than directly stealing money from the bank, Orlovski maintains. “[This] has more to do with stealing data and then selling that data on the Dark Net,” he adds.

Since the type of data and potential for exposure can vary widely between financial institutions, banks have come to develop “different tolerances for employee fraud and even different definitions of what constitutes employee fraud,” says Inscoe. Some use automated tools to monitor for anomalous activities, she says, while others rely only on manual reviews or certain types of internally created reports. 

While incidents may be on the rise, industry experts believe breaches and theft involving willfully bad employees are outnumbered by those conducted by outsiders or those involving simple employee carelessness. But intentional inside jobs tend to pack a more potent punch. “External threats make up most of the attacks against banks,” says Auger-Perreault, “but malicious insiders can cause major damage.”

For one thing, it typically takes longer to root out a criminal employee than most external intruders. And nefarious insiders – including well-placed third parties – tend to have more precise knowledge about the locations of their employer’s most valuable data and how to get around security measures.

Going forward, especially in times of economic crisis and changing work landscapes, Monson contends that when it comes to monitoring for employee malfeasance “we should be vigilant, because the potential impact is so much higher.” 

Karen Epper Hoffman has been writing about the financial industry for nearly three decades. Her work has appeared in a variety of mainstream business and trade publications in the United States and Europe. She resides in Olympia, Wash.

Want more BAI Banking Strategies? Sign up for our free newsletter.