4 December 2017
Bank Insider for Sale
Bank employees are the industry’s weakest security point and banks continue to do a poor job of mitigating insider threats. My latest Celent report, Bank Insider for Sale: Analytic Approaches to Deter Bank Insider Threats recommends that banks deploy more advanced analytic techniques to combat the damage caused by insider crime.
Typically, banks use surveillance and monitoring tools to observe and record their employee activities in order to detect malicious activities. The drawback of these tools is that they only monitor single-transaction log data, such as sent email rates, website visits, data exfiltration, or changes in network permissions. They do not connect the lateral and forward activities or the “low and slow” approach of an insider attack and, more critically, they do not pick up on changes in personal behavior that may indicate an attack is about to happen.
Banks have plenty of time to detect and prevent an insider attack but they do not take advantage of the time lapse. On average, over five years elapse between an employee’s hiring and the identified start of the attack, and it takes an average of almost 32 months to be detected by the organization. Banks’ efforts remain focused on catching the culprit after the crime is committed.
If banks combine nontechnical methods, education, and user activity surveillance with more advanced personal analysis techniques, they have a better chance of spotting attributes that indicate the ideation and planning of an attack.
The figure shows examples of personal behavior indicators of an insider that is about to commit a financial fraud against the bank.
Insider threats are complex, destructive, and daring and there are serious consequences to ignoring the problem. The report concludes that an effective insider threat program is built upon a comprehensive ontology of insider threats analytic indicators that are derived from user activity and personal behavioral attributes analysis. Using this analysis, banks can put in place powerful technical and nontechnical controls and detection methods that will significantly improve their ability to mitigate insider threats.