Connect with us


Remote Workers: Increasing the Risk of Insider Threats in Financial Services



Remote Workers: Increasing the Risk of Insider Threats in Financial Services

By Renee Tarun, deputy CISO, Fortinet

All organizations are susceptible to insider threats. The latest data shows that the number of insider incidents has increased by 47% over the past two years, now affecting more than 34% of businesses. Two-thirds of organizations now consider malicious insider attacks or accidental breaches more likely than external attacks.

And organizations in the financial services sector are a prime target for insider threats because they are more lucrative for the insider. They contain the epitome of crown jewels when it comes to data that can be resold on the black market – financial and personal data. Banks store details on bank accounts, credit card information, SSNs and other government IDs, and additional personally identifiable (PII) information. And they have a lot of it! They process it, transfer it, and store it – whether in the cloud or on-premises.

In most cases, malicious insiders are driven by financial gain. They often look to steal information that can be sold on the Dark Web. While credit card data is common, cards that include a CVV code (the numbers on the back of the card) are worth much more. Banking information combined with PII is also quite valuable. But bank accounts that can transfer funds are worth the most. For cybercriminals, vulnerable banks are a gold mine, making financial services organizations the perfect target. Which is why, according to the 2019 Verizon Data Breach Report, 36% of breaches in financial services were the result of an internal threat, which is above the norm for other market sectors.

Insiders Come in Many Forms

An insider threat can be any person connected to your organization. Anyone with company information or access to sensitive information – whether financial, R&D, or customer and sales data – could be an insider. This person could be a present or former employee, a board member, a consultant, or even a bank teller or floor trader – in fact, virtually anyone with access to the office building or sensitive company information, either now or in the past.

The Accidental Insider Threat

The accidental insider is someone who unwittingly becomes an insider, usually due to careless or reckless behavior that enables the adversary. Examples include such things as a user falling prey to a social engineering attack, such as a phishing attempt, or engaging in inappropriate behaviors, like breaking acceptable use policies, installing unauthorized software or misusing assets, setting up or using Shadow IT, or leveraging unauthorized workarounds.

Careless insiders may also have their user credentials compromised by employing easy to guess passwords, writing and posting passwords written on sticky notes, using a single password for all online resources including personal and work accounts, or a myriad of other careless behaviors. All of these can and have been used by attackers to gain unauthorized access to corporate resources.

Another avenue for providing inadvertent access to online resources can be a complacent IT staff that doesn’t properly patch or configure systems or change default passwords on networked devices.

The Malicious Insider Threat

The malicious insider is someone who intentionally seeks to steal information, disrupt the network or business, or try to cause harm to the organization – there numerous examples. One of the most common malicious insiders is a disgruntled or former employee who is motivated to harm the business. Employees may also be operating as a paid agent for a third party, such as a competitor or nation-state, to engage in cyber espionage by stealing information. And, of course, employees in dire financial circumstances may be tempted to engage in malicious activity to enrich themselves.

The Remote Worker Threat

Users now working from home pose additional risks for financial services organizations that need to be accounted for. For example, users may be connecting to the corporate network through a home or public network that may not be secure. This problem can be compounded when remote workers use personal devices such as computers and printers that may not be secure and may even be used by others. And if a device is lost or stolen, it can be difficult or impossible to secure any data stored on that device.

Working in isolation also makes it easier to fall victim to social engineering attacks, as you can’t simply walk over to a supervisor or the IT department to ask whether or not something is legitimate. And with less restriction, oversight, and engagement, remote employees have increased opportunities to engage in activities that might undermine corporate trust, expose information, and put the company and its data at risk. Nefarious employees may be especially tempted to do things that they wouldn’t otherwise try to do in the office, such as attempting to gain unauthorized access to data repositories.

And from an IT perspective, increased traffic logs from external connections means more event data to review, often by overtaxed IT teams trying to manage an entire workforce in transition, which means malicious activity could fall through the cracks.

Managing the Risk

Insider threats are one of the most challenging attack vectors to manage because trusted users who require authorized access to specific networks, data, and other connected resources are also the very users who may cause damage to those same networks and data.

Addressing the challenges posed by insider risks, especially by remote workers, requires an active strategy that includes the following six steps:

  1. Enable Secure Remote Access:Deploy SSL VPN capabilities with strong authentication to enable employees to securely connect to the corporate network and data repositories from remote locations.
  2. Maintain Visibility and Access Control:Deploying network access control technologies can provide visibility, control, and automated response for everything that connects to the network. It helps IT teams discover every user, application, and device or your network. And once devices are correctly identified and classified, you can restrict user access to only those resources necessary for them to do their job.
  3. Protect Endpoints:As a common attack vector, endpoints need to be regularly assessed for vulnerabilities and advanced threats. They also need security solutions installed, such as EDR (endpoint detection and response) solutions that can stop breaches and malware in real-time, combined with a holistic security framework that can automatically identify, respond to, and remediate incidents to protect data, ensure system uptime, and preserve business continuity.
  4. Continuously Monitor: Ensure your security staff is leveraging SIEM and SOAR technologies to monitor and alert on unusual login attempts, unexplainable large data transfers, or other behaviors that seem out of the norm for systems and users.
  5. Encrypt Data:All sensitive data that is being stored on employee devices, as well as data stored elsewhere, should be encrypted. Otherwise, remote workers should be prohibited from storing data on their devices.
  6. Educate the Workforce:Employees need to be regularly educated on expectations and policies related to secure remote access. Also, provide additional awareness for good cyber hygiene and awareness of social engineering attacks via attack vehicles such as phishing, smishing, and vishing.

Rapid Change Increases Risk

Insider threats are a serious concern for financial institutions, and today the risk is higher than ever. Critical circumstances have required organizations to quickly transition to alternate work environments to maintain business continuity. However, organizations that had not prepared to move their workforce to a remote setting as part of their BCDR plans were caught trying to make a significant change in a highly compressed amount of time. As a result, even if external security controls remained in place to keep out external cybercriminals, security gaps may still have crept into your environment that can be exploited by insiders.

By refining your security protocols, including following the six steps outlined above, organizations can close the gap on insider threats so that business continuity can be maintained, and critical customer and institutional information can be protected.


ISO 20022 migration: full speed ahead despite recent delays, says new Deutsche Bank paper



ISO 20022 migration: full speed ahead despite recent delays, says new Deutsche Bank paper 1

Today, Deutsche Bank has released the third installment in its “Guide to ISO 20022 migration series, which offers a comprehensive update on the industry shift to the de facto global standard for financial messaging: ISO 20022. This paper comes at a critical time for the ISO 20022 migration, with a number of changes to existing timelines and strategies from SWIFT and the world’s major market infrastructures having been announced this year.

The paper explores the latest developments, including SWIFT’s year-long postponement of the migration in the correspondent banking space. The decision meets industry calls for a delay and also provides ample time to build the new central Transaction Management Platform (TMP) – a core feature of SWIFT’s new strategy that will allow the industry to move away from point-to-point messaging and towards central transaction processing.

It also details the wave of action that has been seen by market infrastructures around the world – with many, including the ECB, EBA CLEARING and the Bank of England, announcing revised migration approaches.

“Now more than ever, with shifting timelines and strained resources, it is vital that banks and corporates alike do not view the ISO 20022 migration as just another project that can be put on the back burner,” says Christian Westerhaus, Head of Cash Products, Cash Management, Deutsche Bank. “The delays in the correspondent banking space, and across several market infrastructures, should not be seen as an opportunity for banks to take their foot off the pedal. The journey to ISO 20022 is still moving ahead at speed – and internal projects need to reflect this.”

The Guide also highlights the implementation issues on the migration journey ahead – most notably surrounding interoperability between market infrastructures, usage guidelines and messaging formats. This is achieved through a series of deep dives, case studies, and points of attention drawn from Deutsche Bank’s internal analysis.

 “As this year has proved, nothing is set in stone, “says Paula Roels, Head of Market Infrastructure & Industry Initiatives, Deutsche Bank. “The ISO 20022 migration involves a lot of moving parts and keeping abreast of the latest developments is critical for banks and corporates alike. As the deadlines near, and the ISO 20022 story develops, this series of guides will continue to highlight key points for consideration over the coming years.”

Continue Reading


The Psychology Behind a Strong Security Culture in the Financial Sector



The Psychology Behind a Strong Security Culture in the Financial Sector 2

By Javvad Malik, Security Awareness Advocate at KnowBe4

Banks and financial industries are quite literally where the money is, positioning them as prominent targets for cybercriminals worldwide. Unfortunately, regardless of investments made in the latest technologies, the Achilles heel of these institutions is their employees. Often times, a human blunder is found to be a contributing factor of a security breach, if not the direct source. Indeed, in the 2020 Verizon Data Breach Investigations Report, miscellaneous errors were found vying closely with web application attacks for the top cause of breaches affecting the financial and insurance sector. A secretary may forward an email to the wrong recipient or a system administrator may misconfigure firewall settings. Perhaps, a user clicks on a malicious link. Whatever the case, the outcome is equally dire.

Having grown acutely aware of the role that people play in cybersecurity, business leaders are scrambling to establish a strong security culture within their own organisations. In fact, for many leaders across the globe, realising a strong security culture is of increasing importance, not solely for fear of a breach, but as fundamental to the overall success of their organisations – be it to create customer trust or enhance brand value. Yet, the term lacks a universal definition, and its interpretation varies depending on the individual. In one survey of 1,161 IT decision makers, 758 unique definitions were offered, falling into five distinct categories. While all important, these categories taken apart only feature one aspect of the wider notion of security culture.

With an incomplete understanding of the term, many organisations find themselves inadvertently overconfident in their actual capabilities to fend off cyberthreats. This speaks to the importance of building a single, clear and common definition from which organisations can learn from one another, benchmark their standing and construct a comprehensive security programme.

Defining Security Culture: The Seven Dimensions

In an effort to measure security culture through an objective, scientific method, the term can be broken down into seven key dimensions:

  • Attitudes: Formed over time and through experiences, attitudes are learned opinions reflecting the preferences an individual has in favour or against security protocols and issues.
  • Behaviours: The physical actions and decisions that employees make which impact the security of an organisation.
  • Cognition: The understanding, knowledge and awareness of security threats and issues.
  • Communication: Channels adopted to share relevant security-related information in a timely manner, while encouraging and supporting employees as they tackle security issues.
  • Compliance: Written security policies and the extent that employees adhere to them.
  • Norms: Unwritten rules of conduct in an organisation.
  • Responsibilities: The extent to which employees recognise their role in sustaining or endangering their company’s security.

All of these dimensions are inextricably interlinked; should one falter so too would the others.

The Bearing of Banks and Financial Institutions

Collecting data from over 120,000 employees in 1,107 organisations across 24 countries, KnowBe4’s ‘Security Culture Report 2020’ found that the banking and financial sectors were among the best performers on the security culture front, with a score of 76 out of a 100. This comes as no surprise seeing as they manage highly confidential data and have thus adopted a long tradition of risk management as well as extensive regulatory oversight.

Indeed, the security culture posture is reflected in the sector’s well-oiled communication channels. As cyberthreats constantly and rapidly evolve, it is crucial that effective communication processes are implemented. This allows employees to receive accurate and relevant information with ease; having an impact on the organisation’s ability to prevent as well as respond to a security breach. In IBM’s 2020 Cost of a Data Breach study, the average reported response time to detect a data breach is 207 days with an additional 73 days to resolve the situation. This is in comparison to the financial industry’s 177 and 56 days.

Moreover, with better communication follows better attitude – both banking and financial services scored 80 and 79 in this department, respectively. Good communication is integral to facilitating collaboration between departments and offering a reminder that security is not achieved solely within the IT department; rather, it is a team effort. It is also a means of boosting morale and inspiring greater employee engagement. As earlier mentioned, attitudes are evaluations, or learned opinions. Therefore, by keeping employees informed as well as motivated, they are more likely to view security best practices favourably, adopting them voluntarily.

Predictably, the industry ticks the box on compliance as well. The hefty fines issued by the Information Commissioner’s Office (ICO) in the past year alone, including Capital One’s $80 million penalty, probably play a part in keeping financial institutions on their toes.

Nevertheless, there continues to be room for improvement. As it stands, the overall score of 76 is within the ‘moderate’ classification, falling a long way short of the desired 90-100 range. So, what needs fixing?

Towards Achieving Excellence

There is often the misconception that banks and financial institutions are well-versed in security-related information due to their extensive exposure to the cyber domain. However, as the cognition score demonstrates, this is not the case – dawdling in the low 70s. This illustrates an urgent need for improved security awareness programmes within the sector. More importantly, employees should be trained to understand how this knowledge is applied. This can be achieved through practical exercises such as simulated phishing, for example. In addition, training should be tailored to the learning styles as well as the needs of each individual. In other words, a bank clerk would need a completely different curriculum to IT staff working on the backend of servers.

By building on cognition, financial institutions can instigate a sense of responsibility among employees as they begin to recognise the impact that their behaviour might have on the company. In cybersecurity, success is achieved when breaches are avoided. In a way, this negative result removes the incentive that typically keeps employees engaged with an outcome. Training methods need to take this into consideration.

Then there are norms and behaviours, found to have strong correlations with one another. Norms are the compass from which individuals refer to when making decisions and negotiating everyday activities. The key is recognising that norms have two facets, one social and the other personal. The former is informed by social interactions, while the latter is grounded in the individual’s values. For instance, an accountant may connect to the VPN when working outside of the office to avoid disciplinary measures, as opposed to believing it is the right thing to do. Organisations should aim to internalise norms to generate consistent adherence to best practices irrespective of any immediate external pressures. When these norms improve, behavioural changes will reform in tandem.

Building a robust security culture is no easy task. However, the unrelenting efforts of cybercriminals to infiltrate our systems obliges us to press on. While financial institutions are leading the way for other industries, much still needs to be done. Fortunately, every step counts -every improvement made in one dimension has a domino effect in others.

Continue Reading


Has lockdown marked the end of cash as we know it?



Has lockdown marked the end of cash as we know it? 3

By James Booth, VP of Payment Partnerships EMEA, PPRO

Since the start of the pandemic, businesses around the world have drastically changed their operations to protect employees and customers. One significant shift has been the discouragement of the use of cash in favour of digital and contactless payment methods. On the surface, moving away from cash seems like the safe, obvious thing to do to curb the spread of the virus. But, the idea of being propelled towards an innovative, digital-first, cashless society is also compelling.

Has cashless gone viral?

Recent months have forced the world online, leading to a surge in e-commerce with UK online sales seeing a rise of 168% in May and steady growth ever since. In fact, PPRO’s transaction engine, has seen online purchases across the globe increase dramatically in 2020: purchases of women’s clothing are up 311%, food and beverage by 285%, and healthcare and cosmetics by 160%.

Alongside a shift to online shopping, a recent report revealed 7.4 million in the UK are now living an almost cashless life – claiming changing payment habits has left Britons better prepared for life in lockdown. In fact, according to recent research from PPRO, 45% of UK consumers think cash will be a thing of the past in just five years. And this UK figure reflects a global trend. For example, 46% of Americans have turned to cashless payments in the wake of COVID-19. And in Italy, the volume of cashless transactions has skyrocketed by more than 80%.

More choice than ever before

Whilst the pandemic and restrictions surrounding cash have certainly accelerated the UK towards a cashless society, the proliferation of local payment methods (LPMs) in the UK, such as PayPal, Klarna and digital wallets, have also been a key driver. Today, 31% of UK consumers report they are confident using mobile wallets, such as Apple Pay. Those in Generation Z are particularly keen, with 68% expressing confidence using them[1].

As LPM usage continues to accelerate, the use of credit and debit cards are likely to decline in the coming years. Whilst older generations show an affinity with plastic, younger consumers feel less secure around its usage. 96% of Baby Boomers and Generation X confirmed they feel confident using credit/debit cards, compared to just 75% of Generation Z[2].

Does social distancing mean financial exclusion?

As we hurtle into a digital age, leaving cash in the rearview, there are ramifications of going completely cashless to consider. We must take into consideration how removing cash could disenfranchise over a quarter of our society; 26% of the global population doesn’t have a traditional bank account. Across Latin America, 38% of shoppers are unbanked, and nearly 1 in 5 online transactions are completed with cash. While in Africa and the Middle East, only 50% of consumers are banked in the traditional sense, and 12% have access to a credit card. Even here in the UK, approximately 1.3 million UK adults are classed as unbanked, exposing the large number of consumers affected by any ban on cash.

Even when shopping online – many consumers rely on cash-based payments. At the checkout page, consumers are provided with a barcode for their order. They take this barcode (either printed or on their mobile device) to a local convenience store or bank and pay in cash. At that point, the goods are shipped.

There are also older generations to consider. Following the closure of one in eight banks and cashpoints during Coronavirus, the government faced calls to act swiftly to protect access to cash, as pensioners struggled to access their savings. Despite the direction society is headed, there are a significant number of older people that still rely on cash – they have grown up using it. With an estimated two million people in the UK relying on cash for day to day spending, it is important that it does not disappear in its entirety.

Supporting the transition away from cash

Cashless protocols not only restrict access to goods and services for consumers but also limit revenue opportunity for merchants. While 2020 has provided the global economy with one great reason to reduce the acceptance of cash, the payments industry has billions of reasons to offer multiple options that cater to the needs of every kind of shopper around the world.

Whilst it seems younger generations are driving LPM adoption, it is important that older generations aren’t forgotten. If online shops fail to offer a variety of preferred payment methods, consumers will not hesitate to shop elsewhere. With 44% of consumers reporting they would stop a purchase online if their favourite payment method wasn’t available – this is something merchants need to address to attract and retain loyal customers.

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Call For Entries

Global Banking and Finance Review Awards Nominations 2020
2020 Global Banking & Finance Awards now open. Click Here

Latest Articles

REIT Trends: Innovative Data Strategies for Better Investments 4 REIT Trends: Innovative Data Strategies for Better Investments 5
Investing2 mins ago

REIT Trends: Innovative Data Strategies for Better Investments

By Josh Miramant is the CEO and founder of Blue Orange Digital Data transformation is this decade’s differentiator for REITs...

Financial transformation is the new digital transformation 7 Financial transformation is the new digital transformation 8
Technology17 mins ago

Financial transformation is the new digital transformation

By Luke Fossett, ANZ Head of Sales for global recurring payments platform, GoCardless The term ‘digital transformation’ has become somewhat...

RegTech 2020: Exploring financial crime and the emergence of RegTech in the USA 9 RegTech 2020: Exploring financial crime and the emergence of RegTech in the USA 10
Technology2 hours ago

RegTech 2020: Exploring financial crime and the emergence of RegTech in the USA

with host, Alex Ford, VP Product and Marketing, Encompass, and guests, Dr Henry Balani, Head of Delivery, Encompass; Pawneet Abramowski,...

86% of UK businesses face barriers developing digital skills in procurement 11 86% of UK businesses face barriers developing digital skills in procurement 12
Technology13 hours ago

86% of UK businesses face barriers developing digital skills in procurement

A shortage of digitally savvy talent, and a lack of training for technical and soft skills, hinder digital procurement initiative...

ISO 20022 migration: full speed ahead despite recent delays, says new Deutsche Bank paper 13 ISO 20022 migration: full speed ahead despite recent delays, says new Deutsche Bank paper 14
Finance24 hours ago

ISO 20022 migration: full speed ahead despite recent delays, says new Deutsche Bank paper

Today, Deutsche Bank has released the third installment in its “Guide to ISO 20022 migration” series, which offers a comprehensive...

What Skills Does a Data Scientist Need? 15 What Skills Does a Data Scientist Need? 16
Business1 day ago

What Skills Does a Data Scientist Need?

In this modern and complicated time of economy, Big data is nothing without the professionals who turn cutting-edge technology into...

The importance of app-based commerce to hospitality in the new normal 17 The importance of app-based commerce to hospitality in the new normal 18
Technology4 days ago

The importance of app-based commerce to hospitality in the new normal

By Jeremy Nicholds CEO, Judopay As society adapts to the rapidly changing “new normal” of working and socialising, many businesses...

The Psychology Behind a Strong Security Culture in the Financial Sector 19 The Psychology Behind a Strong Security Culture in the Financial Sector 20
Finance4 days ago

The Psychology Behind a Strong Security Culture in the Financial Sector

By Javvad Malik, Security Awareness Advocate at KnowBe4 Banks and financial industries are quite literally where the money is, positioning...

How open banking can drive innovation and growth in a post-COVID world 21 How open banking can drive innovation and growth in a post-COVID world 22
Banking4 days ago

How open banking can drive innovation and growth in a post-COVID world

By Billel Ridelle, CEO at Sweep Times are pretty tough for businesses right now. For SMEs in particular, a global financial...

How to use data to protect and power your business 23 How to use data to protect and power your business 24
Business4 days ago

How to use data to protect and power your business

By Dave Parker, Group Head of Data Governance, Arrow Global Employees need to access data to do their jobs. But...

Newsletters with Secrets & Analysis. Subscribe Now