While Holiday Hacks Lurk, the Insider Threat Mustn’t Be Ignored

Addressing Insider Threats in Banking Amid Holiday Cyber Risks

By Ben Bulpett, EMEA Identity Platform Director, SailPoint

The holiday shopping season is in full swing. Online sales are forecast to hit over £32 billion from mid-November to the end of December 2021. However, it’s not all glad tidings; more online shopping equals more sharing of online credentials and greater cyber risk. And this risk is prolific – hackers stole £754 million in the first six months of this year alone.

Where money flows, criminals follow. Methods used by cybercriminals to infiltrate and exploit the swell of online retail are becoming increasingly more sophisticated. For example, almost one-third of UK respondents to a recent survey said they had received emails and messages impersonating retailers over the past year. According to Which?, ‘smishing’ (SMS phishing) increased by 700% in the first six months of 2021.

With most credit card transactions at some point going across the banking network, and with the potential financial impact of customer fraud, banks need to be more alert than ever to who is accessing their systems and data. This isn’t limited to just outsider threats, despite these often dominating the headlines. Concerningly, the banking industry retains the dubious reputation of having the highest rates of insider data breaches across any sector. Not always criminal in nature, even accidental breaches can end in misery for customers and providers alike. Running through so many of these breaches are issues with identity access and security.

While external threats and attacks launched on unsuspecting customers will continue to evolve, banks and financial institutions must ensure their lines of defense remain water-tight. Using AI and machine learning, businesses can put in place appropriate identity security measures to detect unusual behaviour and take immediate action to stop a breach occurring.

Making a list, checking it twice; who has what and why?

Managing internal threat, the risk posed by employees themselves, is not often top of the holiday list, with much focus on what criminals are doing to dupe holiday shoppers. When shopping online, banks need to ensure that both the device and the shopper’s identity are verified. However, with the genuine risk of internal data leaks, banks also need to ensure that the employees tasked with handling data and those who have access to it are appropriately screened and audited.

This starts with ensuring that data is only accessible to those who need to use it. Users with incorrect access privileges are one of the most significant areas of identity fraud. This also includes ex-employees who remain able to access systems due to poor identity and access management practices. Where malicious insiders are provided with access to the data they exploit, such seemingly ‘legitimate’ activity is much harder to detect than that of the brute-force hack.

There are also legacy issues that can lead to innocent leaks, where financial institutions still in the digital transformation process retain pockets of poor practice. Complex organisational structures mean many are still in a hybrid state where spreadsheets and other manual processes continue to sit alongside more sophisticated processes. This provides ample opportunity for unprotected documents that contain sensitive or PII data to be shared incorrectly or misdirected.

Without a complete view of all data access across an organisation, there is no way to uncover such hidden risk. This has been made harder during the pandemic where remote working, furlough, and unprecedented hiring have rapidly changed the employee mix and provided additional access points. With the government continuing to issue Covid-prevention measures in reaction to new variants, this landscape is ever changing, but systems and processes are not adapting at the same rate.

Top of the wish list

Even in the face of such challenges, preventative steps can be taken to mitigate insider threats. For example, IT teams can use automated access and geolocation alerts to spot abnormal behaviours. Made possible through AI and ML-driven security measures, this can be the basis of an agile identity security foundation that learns and adapt as business needs change.

Gaining a full view of customer data is hard when so much of this data is unstructured. We are not dealing with simple transactional data anymore. Indeed, some challenger banks, in particular, are increasingly using biometric authentication such as voice, fingerprint, or video (notwithstanding the recent wave of concern around deep fake technologies) within multi-factor authentication, giving rise to the need to protect extremely sensitive personal data, beyond the financial.

Identity security is a cybersecurity tactic that delivers a holistic view of data access in an organisation, with a pure view of all identities, their permissions, and actions. This provides greater visibility over each application, data repository, cloud service, and internal platform, reducing the risk of password duplication, permissions creep, and over-provisioning.

While much attention is on the risk posed by external holiday hacks and scams, the ongoing risk posed by the insider threat cannot be ignored. Identity security must be top of the wish list for banks seeking to shore up defenses against potential breaches or hacks. Any criminal activity that results in customers losing funds or having sensitive data comprised is clearly of the utmost concern to banks, both given regulatory fines incurred as well as major reputational damage. However, where that criminality results from poor internal controls and identity security, it is almost unforgivable.

During this holiday season, financial institutions, of course, must be alert and responsive to new scams and sophisticated external attacks. The risk is that this facilitates a blind spot, where they fail to see the threat sitting at their own table.