While there is lots of buzz about protecting your organization from external threats (foreign hackers, competitor espionage), "insiders" like these bank employees are positioned to do the most harm. These folks are given legitimate access to data and systems and trained on security protocols as a necessity of the job. Hence, insiders know exactly what the most valuable assets are, they know where they are located, and they probably also know how they are protected.
Where Does Insider Threat Thrive?
Risks emerge when certain conditions are present, including a feeling of disconnect between the organization and the individual employee ("they don't care about me, why should I care about them"), outright disgruntlement, a cultural environment that condones or ignores corruption, a lack of transparency at the institutional level, and a pattern of mild/downplayed reactions to prior incidents.
Traditional network security protocols - password protection, user access monitoring, and other tech solutions - can help, but don't get at the underlying causes of the problem. They serve their purpose, but clearly aren't the right place to start safeguarding a bank from insider threat. Instead, think of insider threat as an operations problem. This approach will help you uncover the source of the problem in order to create a lasting solution.
Where Do Many Organizations Go Wrong?
For example: A branch manager learns that two tellers at his bank have been illicitly withdrawing funds from customers' accounts. His wrong (but understandable) reaction is to quietly dismiss them from their jobs, reimburse the customers, and go about hiring new tellers who seem more honest. The manager might even add an approval step to the standard operating procedure, so that all tellers are now required to have a manager "sign off" before executing a withdrawal.
Unfortunately, this is not only a shortsighted solution, but one that will almost certainly have a negative and lasting impact on internal culture, operational efficiency, and customer satisfaction. The manager smoothed over all of the symptoms, but failed to fix any of the real problems, so his actions have now created an even more fertile environment for the core problem to take root and grow.
If the bank's leadership had taken an investigative risk assessment approach, they may have learned that:
- The existing vetting process for tellers does not assess risk level for corruption and/or bribery, or uncover if the candidate has a criminal history,
- Many of the tellers and some of the managers were aware of the crime while it was occurring (rendering the new manager approval policy largely useless),
- There was a general consensus among employees that they were underpaid and under appreciated, making it easy for those in the know to rationalize stealing, and
- It was easy to get away with this crime because protocol directed managers to avoid any possible bad PR.
These systemic problems are certainly not solved by swapping out employees - in fact, it only reinforces the reigning belief system that the bank views them as disposable.
There is no silver bullet to fight insider threat, and it is impossible to achieve 100% safeguard from risk, since the risk depends in some part on human nature. However: it is absolutely possible to optimize operational processes and drastically improve an organization's ability to prevent, detect, and remediate insider threat.