The Threat from Within

The Threat from Within

Protecting banks during the challenge of COVID-19 and a reduced staff

Just as banks use every tool at their disposal to maximize revenue opportunities and manage their ledger, they must take the same approach when it comes to security. New challenges with COVID- 19, banks operating with a reduced staff and employees working from home require an updated and more diligent security plan. Insider threat programs are a key component to an overall security plan.

While financial institutions implement some level of security, they can improve their security and insider threat programs leveraging the latest security technologies. Cross-department collaboration, a practice that challenges organizations, is an extremely helpful part of the solution but is often the hardest to execute. Combining the right mix of technology and security staff will better protect financial institutions from insider threats and help meet COVID-19 guidelines.

The biggest risk to financial institutions is the possibility of bank employees accessing private user account data, including account numbers which can be printed, emailed, saved and be sold to bad actors for a high dollar amount. Most banks have deployed an access control system to manage access throughout their complicated environment. Access control systems collect large amounts of employee access data on a daily basis. While the amount of data collected is overwhelming and difficult to manage, it is extremely useful when trying to identify potential risks.

An analytics system can process access control data and assist with insider threat and COVID-19 challenges. Deploying an analytics system alongside an access control and identity management system can help leverage data to identify risks through anomalous behaviors by tracking an employee’s access history and behavior patterns.


People are creatures of habit and have daily work routines based on where they enter a building, what elevator they use, the location of their office or desk. Over time, employees establish their work patterns and the analytics system learns what doors they enter and exit and when they move about. It understands their behavior. The analytics system applies a risk score based on people, location and time.

The score is higher for a person who has access to critical areas such as the data center. A location score would be higher on a data center card reader than a cafeteria door, and scores are lower during the workday and higher during off times.

By understanding an employee’s habits and applying scores to the readers throughout a facility, an overall risk score is established for each employee. Baseline scores demonstrate normal behavior. However, if an employee tries to enter a bank in the middle of the night, the behavior would raise the score.

When a person’s risk score rises above normal, an alert in the dashboard notifies the security team. They can then review the specific employee’s behavior and see if the suspicious behavior is an anomaly or requires further action. Maybe the employee was working late on a project and needed to get into another department that he didn’t have access to after-hours. Or maybe the employee is searching for account data to sell.

An analytics system flags possible early warning signs and alerts the security team to keep a better watch on the situation. Having insight early could prevent a possible breach or crisis because the security team can start to watch the behavior more closely. It will also provide HR teams and management just-cause to investigate and confront the employee about the suspicious activity.

Obtaining this level of insight from your access data is only possible using an analytics system.


When employees start a job, they are given an access card. Often that access card allows them access to many more areas than they need to perform their job, creating a risk. Tightly controlling employee access helps prevent risk. Using an identity management system, banks must implement the least privileged access approach, which gives employees access to only the areas they need to perform their jobs.

Access to additional areas must be requested by the employee. Access is granted for a predetermined amount of time and automatically deactivates access when the time limit expires. It provides an electronic log of all requests and an audit trail to prove compliance. Least Privileged Access works well in heavily regulated industries such as banking. Financial institutions can match up timeframes with regulations to meet compliance.

Each department within a bank works with different files and uses its own standards to complete work. Based on the security program’s rules, the security team should know exactly who within the department should have access to the files, who outside the department is accessing those files, and monitor who tries to get access to those files.

“Banks must monitor all card swipes in areas where physical account data resides,” said Dan Bissmeyer, G4S director of business development. “Anyone from outside that section of the building or another department could possibly be fishing for that data.”


The onset of COVID-19 earlier this year brought on new challenges for financial institutions. Banks found themselves scrambling to move employees home to work. Entire security operations centers and call-centers needed to operate from home. Although considered essential, headquarter operations and branches operated with skeleton crews to serve customers.

Insider threat programs are set up to monitor employees, limit access, track how a person might be trying to access areas and information, and respond quickly to mitigate risk. Layers of security, using people and technology, are put in place to protect the company.

“Remote work makes it incredibly dif- ficult to keep an eye on people,” Bissmeyer said. “You lose what you had in your layers of security with physical access, identity management and analytics.”

In a remote setting, a bank must rely on its logical controls to monitor when employees log in and what they are accessing. However, the loss of physical containment is a huge challenge. When operating inside a bank, the employee is surrounded by layers of security that are put in place to protect them and the data they manage. When working remotely, an employee can work anywhere, exposing data on an open laptop to roommates or friends. Printing at home is especially dangerous. Financial hardships due to COVID-19 and the economy may also tempt employees to generate fraudulent loans.

While banks have remained open, they are slowly bringing back more employees to the workplace as restrictions are lifted. The right technology can help with the transition. An analytics system can help a bank remain in compliance and show proof that the bank is operating according to policy. If a bank is running at 50 percent capacity in their buildings, the security team can pull up a dashboard that shows exact capacity at any moment. This ensures they are following the proper health guidelines imposed by authorities and they will meet internal and external compliance standards, which help preserve the bank’s integrity and reputation.

Banks can use contact tracing tools to track employees who may have been near a person who tested positive for COVID-19. If a person tested positive or was exposed, those who have been exposed to that person could easily be identified. Visitor management systems can control and authorize visitors before they arrive. A temporary card can be used from the phone via a QR card reader, eliminating the need to touch a card. Visitors can be required to answer COVID-19 related questions and remotely sign policy documents before being allowed access to a building, ensuring compliance while keeping employees safe from exposure to the virus.

Security officers can capture events using the data from other systems to contain and recover preventing the spread of infection. Proper tracking of COVID-19 diagnoses and all events within an incident management system will help the bank remain in compliance.


Deploying the best technologies can help provide a powerful and comprehensive insider threat and security program, but to have a top-notch program, an organization must have cross-collaboration between its departments. Key stakeholders from HR, legal, IT, facilities and compliance should meet regularly with the security team.

“Reach out and discuss the benefits of having a strong relationship with different departments to not only help build an insider threat program and improve security overall, but to benefit the company as a whole,” Bissmeyer said. “Eliminating silos and working cross-functionally is the only way to have a first-rate security program.”

Different departments perform different investigations and cross-communication could streamline the process and benefit other programs such as workplace violence, business continuity, and crisis management. All of these programs touch other departments. Invite members from these departments to attend regular staff meetings, and request to have someone from the security department at their meetings. Understanding what is happening in other departments eliminates surprises and helps each team be more proactive.

Together, establish workflows when incidents or crises are identified. Dynamic, distributed and auditable workflows will create a streamlined response and improve reaction time. COVID- 19 challenged all aspects of the banking business. Implementing cross-collaboration communication and workflows, along with the right technologies will help banks be better prepared for the next crisis.

This article originally appeared in the September 2020 issue of Security Today.


Featured Cybersecurity


New Products

  • FlexPower® Global™ Series (FPG) from LifeSafety Power

    FlexPower® Global™ Series (FPG) from LifeSafety Power

    The FlexPower® Global™ Series (FPG) from LifeSafety Power—designed to provide DC power for access control systems in international applications—is now PSE listed for Japan and compatible with the country’s 100VAC applications. 3

  • Videoloft Cloud Video Surveillance VSaaS Solution

    Videoloft Cloud Video Surveillance VSaaS Solution

    Videoloft focuses on transforming traditional professional surveillance systems into cloud connected solutions via the Videoloft Cloud Adapter. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3