Wanted: who is the most dangerous employee in a bank?
06.12.2019Back to blog list
They all work with different information, dealing with data at rest and data in use, have their own tasks and use specific instruments. This specificity literally ranks employees putting them on various levels of riskiness — and that’s who was included in the list:
Because they don’t have time for security, aren’t directly responsible for user behavior analytics, whereas decision management tools and project risk management program are often not tailored for addressing data safety with due attention. And this concerns any industry, not just banking.
Managers admit the importance of specialists responsible for risk identification and risk evaluation, but in practice they ignore safety rules. For example, they agree to the default privacy settings without even looking. Or use weak passwords. There are executives who always use the same password, and when at least some change is needed, they change only the last character. They can be understood: time is short, and there are so many things to do. And incident reporting software is not the first thing they think about.
Everything gets even more complicated due to the fact that managers have access to almost all company resources. Even if C-level managers don’t use special corporate services and don’t access databases, they receive the most important excerpt from the information that has been analysed. And fraudsters are often more interested in accessing this excerpt than the database. The development strategy and the company’s objectives are of a unique value, so an employer is the target by default.
Mobility is one of the key aspects. Managers don’t work at the office all the time, they are away on a business trip using gadgets. These devices store a lot of confidential information, and executives often neglect passwords and locks. A device can be forgotten in the waiting room at the airport. Before the security service finds out about this and takes action, the information can get stolen. Remote work dictates taking rigorous security measures, and employee monitoring can be easily affected. How to monitor remote employees – learn here.
What specialists can do to make executives aware? They need to establish contact and try to convey the importance of following the rules. It is difficult, takes time and not always rewarding as some executives aren’t receptive, but is a necessary thing to do.
These people manage the entire corporate infrastructure. IT specialists know the intricacy of security risk assessment and issues better than others, but they can also make mistakes or become a manipulator’s victim. Such an error can cost more than an incident which occurred due to a clerk.
Negligence appears to be one of the most common cases starring IT professionals as leading actors: they might forget to update a system or may not block an account of a former employee. Sometimes such errors are expensive. Although the human factor is as much of a reason: there have been cases where system administrators abused rights deliberately.
The system administrator quit after his request for promotion was denied and decided to take revenge. He inserted a logic bomb in the corporate infrastructure which was activated 2 weeks after his dismissal and erased the configuration of network equipment. The working process was sabotaged: employees could not send and receive letters, visit websites online, and incoming calls to sales managers were forwarded to an executive. It took a month to restore the system, and would take even more if there was no file recovery.
When working with IT specialists it should be noted that their main task is to make services show unhindered performance and be available. And this doesn’t always conform to security measures. So these departments should conduct a continuous dialogue — this will enhance business processes.
How to minimise risks working with IT specialists? Assess not only their professional competencies: consider reliability and monitor loyalty. Mind this when hiring employees and when working with them. This is important, because a good IT specialist can find a way to circumvent technical controls. But such risks must be accepted and mitigated by specific methods. Of course, it is necessary to use security and decision management tools, but at the same time it is imperative to establish relationships and control the human factor.
Back office employees
These are those who process incoming applications for account statements and other operations, and those who manage various banking services and conduct correspondence with customers, contractors and third parties. Their email addresses can be an entry point for outside scammers. For example, a letter from the tax office is emailed to the accounting department — the accountant becomes worried, opens and reads carefully. A sender is a scammer who created an email forging a valid tax office address and putting a virus in the letter. A spy software gets installed on the computer of the accountant and collects sensitive information. For example.
Phishing, spoofing, and social engineering are the most popular external attacks that financial institutions have to deal with.
These are the easiest and cheapest ways for outside violators to harm businesses, so banks will have to withstand such attacks. And to do this, they need to do 3 things:
To increase the employee awareness of potential risks in order to reduce the number of incidents due to negligence or lack of knowledge of the basic security rules.
To take technical measures: implement a risk mitigating comprehensive solution (systems against information leaks and insider actions) and SIEM. With these tools, the organisation will be able to monitor security policy violations in real time and prevent them.
Specialists responsible for external and internal threat mitigation must log all the actions of the staff in order to be able to investigate any violations, identify all those involved and assess the circumstances.
Not cashiers, but those who work with bank clients in the customer area helping them with deposits, leasing, lending, and so on. These are employees with a high level access to classified information and relatively low salaries. This is an important moment, since many are not averse to earning beyond what has been agreed on, and there are opportunities: for example, bank cards and a customer database are in great demand in the black market. But people who are satisfied with their job placement are much less likely to risk it for a 1000-dollar one-time benefit.
By the way, video recording in the customer area is not a remedy. The camera records a violation, but to study a 6-hour video in detail, you need about 12 hours for the research conducted by specialists. And this is done only if there are suspicions — complaints or inconsistency in papers.
And finally — let’s be realistic — there’s a huge influx of customers in the customer area. Thus the violation of the rules due to banal fatigue is also a common thing. It can take half an hour in a bank to answer all the questions to prove your identity. And sometimes a clerk checks a passport so fluently that almost anyone could be that person who gives it. An employee might even unload ten entrepreneurs’ account activity from the database, insert into the body of the letter and sent it to the specified email addresses — businessmen could measure each other’s success. The employee was a good specialist but he violated banking secrecy rules.
To minimize such risks, it is necessary to elaborate security policies regarding the main types of sensitive data which clerks work with. These are customer databases, card details, transaction information. Using systems against data leaks, you can track all operations on such data. Programs can “remember” documents and check the entire data flow against them or recognise scanned copies of passports and cards. There are a lot of search possibilities, and the better the program understand the rules — in detail, the more effectively employees get informed of suspicious activity.