While most financial institutions guard against the external threat of hackers, malware, and network intrusions, there is an insidious insider threat that lies hidden inside the walls of financial institutions. According to Dr. Eric Cole, a noted information security expert who has studied insider threats and investigated them at financial institutions, much more can be done to mitigate this unseen threat.

BIS: Where is one of the places insider threats remain unchecked at Financial Institutions?

COLE: In a bank or credit union, one area I've seen hit most is at the mid to lower manager levels of operations areas, such as teller supervisors, or in the processing areas. They are typically the ones who have 20 or 30 tellers working under them and so have a good amount of account data to tap into. While many Financial Institutions look at the VP level or higher director levels to screen access, or at the teller level, to look at theft losses, the mid level managers have some pretty intense access. I've seen it's the one in the middle, that is causing the most damage.

BIS: What about catching a potential insider threat employee during the background check?

COLE: Any area where you're hiring someone, even a teller, where you're not hiring someone with three masters degrees, there are some things to look for. Length of work record, especially if they've worked at other institutions is a good indicator for hiring managers and HR. Having said that, getting a job as a teller in some growth areas isn't as hard as it may sound. Of the last three banks I visited, they had ads in their lobby, saying they were hiring tellers. So many banks and credit unions are actively hiring for teller positions.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

One thing I will add, just thinking that a teller will take money is not the entire scenario. Tellers do have access to customer account information, including customer account numbers. Imagine a customer comes in, fills out a deposit slip, and then the teller tells them, 'Can you write out your account number on this slip of paper because I can't make out the numbers on the deposit slip?' Then once done, the teller slips the slip of paper into their pocket, and no one is the wiser. By writing it down, it's only a duplicate copy, they didn't do anything suspicious. After 20 or more account numbers are taken this way, the teller then gives this information to a third party to siphon off money through withdrawals at a different branch. And to track that loss via a third party conspirator all the way back to an individual teller would be hard, not unless there was only one transaction made. So don't just think that tellers should be watched for monetary theft, it's the data theft that also may be happening.

BIS: What are some of the most overlooked insider attack vectors at Financial Institutions?

COLE: I would say that the most overlooked insider attack vectors, especially in Financial Institutions - is not controlling access properly. Moving up the ladder from tellers, many managers have access to a lot more information than what they need to do their job.

They can log in and go into a system, and bring up entire account information and account histories. For example, one insider theft case that I worked on involved the manager of the tellers at the institution. She looked for dormant activity accounts, usually with assets of $80,000 or more. Typically these accounts were owned by elderly people or retirees who kept their retirement savings in checking or savings accounts but rarely drew money out of these accounts or checked their balances. This manager went into these accounts and turned off the automatic statement mailings that would be mailed each month, and later she went and slowly skimmed money off the accounts.

How would the bank know that something like this is happening, especially if a manager was given full access to accounts? The rule of least privilege is the answer for this, grant access to only the information needed to perform their job functions, and break up the amount of information being accessed on accounts over several positions.

BIS: What are some other areas financial institutions should look at within their operations when mitigating the insider threat?

COLE: I've already mentioned improper access and separation of duties, the second most troubling issue I've seen is the porous data streaming across different areas at institutions. Data is everywhere, available at different locations, across branches and by remote access. Data is strapped to the waist of mobile professionals on their PDAs, on laptops and even email has sensitive information that if not properly encrypted, could fall into the hands of an insider.