The Threat from Within
Protecting banks during the challenge of COVID-19 and a reduced staff
- By Kami Dukes
- Sep 04, 2020
Just as banks use every tool at their disposal to
maximize revenue opportunities and manage their
ledger, they must take the same approach when
it comes to security. New challenges with COVID-
19, banks operating with a reduced staff and
employees working from home require an updated and more diligent
security plan. Insider threat programs are a key component
to an overall security plan.
While financial institutions implement some level of security,
they can improve their security and insider threat programs leveraging
the latest security technologies. Cross-department collaboration,
a practice that challenges organizations, is an extremely
helpful part of the solution but is often the hardest to execute.
Combining the right mix of technology and security staff will
better protect financial institutions from insider threats and help
meet COVID-19 guidelines.
The biggest risk to financial institutions is the possibility of
bank employees accessing private user account data, including
account numbers which can be printed, emailed, saved and be
sold to bad actors for a high dollar amount. Most banks have
deployed an access control system to manage access throughout
their complicated environment. Access control systems collect
large amounts of employee access data on a daily basis. While the
amount of data collected is overwhelming and difficult to manage,
it is extremely useful when trying to identify potential risks.
An analytics system can process access control data and assist
with insider threat and COVID-19 challenges. Deploying an
analytics system alongside an access control and identity management
system can help leverage data to identify risks through
anomalous behaviors by tracking an employee’s access history
and behavior patterns.
HOW ANALYTICS SYSTEMS WORK
People are creatures of habit and have daily work routines
based on where they enter a building, what elevator they use, the
location of their office or desk. Over time, employees establish
their work patterns and the analytics system learns what doors
they enter and exit and when they move about. It understands their behavior.
The analytics system applies a risk
score based on people, location and time.
The score is higher for a person who has
access to critical areas such as the data
center. A location score would be higher
on a data center card reader than a cafeteria
door, and scores are lower during the
workday and higher during off times.
By understanding an employee’s habits
and applying scores to the readers
throughout a facility, an overall risk score
is established for each employee. Baseline
scores demonstrate normal behavior.
However, if an employee tries to enter a
bank in the middle of the night, the behavior
would raise the score.
When a person’s risk score rises above
normal, an alert in the dashboard notifies
the security team. They can then review
the specific employee’s behavior and see
if the suspicious behavior is an anomaly
or requires further action. Maybe the employee
was working late on a project and
needed to get into another department
that he didn’t have access to after-hours.
Or maybe the employee is searching for
account data to sell.
An analytics system flags possible early
warning signs and alerts the security team
to keep a better watch on the situation.
Having insight early could prevent a possible
breach or crisis because the security
team can start to watch the behavior more
closely. It will also provide HR teams and
management just-cause to investigate and
confront the employee about the suspicious
Obtaining this level of insight from
your access data is only possible using an
LEAST PRIVILEGED ACCESS
HELPS MEET COMPLIANCE
When employees start a job, they are
given an access card. Often that access card
allows them access to many more areas
than they need to perform their job, creating
a risk. Tightly controlling employee
access helps prevent risk. Using an identity
management system, banks must implement
the least privileged access approach,
which gives employees access to only the
areas they need to perform their jobs.
Access to additional areas must be requested
by the employee. Access is granted
for a predetermined amount of time and
automatically deactivates access when the
time limit expires. It provides an electronic
log of all requests and an audit trail to
prove compliance. Least Privileged Access
works well in heavily regulated industries
such as banking. Financial institutions
can match up timeframes with regulations
to meet compliance.
Each department within a bank works
with different files and uses its own standards
to complete work. Based on the security
program’s rules, the security team
should know exactly who within the department
should have access to the files,
who outside the department is accessing
those files, and monitor who tries to get
access to those files.
“Banks must monitor all card swipes
in areas where physical account data resides,”
said Dan Bissmeyer, G4S director
of business development. “Anyone from
outside that section of the building or another
department could possibly be fishing
for that data.”
The onset of COVID-19 earlier this
year brought on new challenges for financial
institutions. Banks found themselves
scrambling to move employees home to
work. Entire security operations centers
and call-centers needed to operate from
home. Although considered essential,
headquarter operations and branches
operated with skeleton crews to serve customers.
Insider threat programs are set up to
monitor employees, limit access, track
how a person might be trying to access areas
and information, and respond quickly
to mitigate risk. Layers of security, using
people and technology, are put in place to
protect the company.
“Remote work makes it incredibly dif-
ficult to keep an eye on people,” Bissmeyer
said. “You lose what you had in your layers
of security with physical access, identity
management and analytics.”
In a remote setting, a bank must rely
on its logical controls to monitor when
employees log in and what they are accessing.
However, the loss of physical containment
is a huge challenge. When operating
inside a bank, the employee is surrounded
by layers of security that are put in place
to protect them and the data they manage.
When working remotely, an employee can
work anywhere, exposing data on an open
laptop to roommates or friends. Printing
at home is especially dangerous. Financial
hardships due to COVID-19 and the economy
may also tempt employees to generate
While banks have remained open, they
are slowly bringing back more employees
to the workplace as restrictions are lifted.
The right technology can help with the
transition. An analytics system can help
a bank remain in compliance and show
proof that the bank is operating according
to policy. If a bank is running at 50
percent capacity in their buildings, the security
team can pull up a dashboard that shows exact capacity at any moment. This ensures they are following
the proper health guidelines imposed by authorities and
they will meet internal and external compliance standards, which
help preserve the bank’s integrity and reputation.
Banks can use contact tracing tools to track employees who
may have been near a person who tested positive for COVID-19.
If a person tested positive or was exposed, those who have been
exposed to that person could easily be identified. Visitor management
systems can control and authorize visitors before they arrive.
A temporary card can be used from the phone via a QR card reader,
eliminating the need to touch a card. Visitors can be required to
answer COVID-19 related questions and remotely sign policy documents
before being allowed access to a building, ensuring compliance
while keeping employees safe from exposure to the virus.
Security officers can capture events using the data from other
systems to contain and recover preventing the spread of infection.
Proper tracking of COVID-19 diagnoses and all events
within an incident management system will help the bank remain
Deploying the best technologies can help provide a powerful
and comprehensive insider threat and security program, but to
have a top-notch program, an organization must have cross-collaboration
between its departments. Key stakeholders from HR,
legal, IT, facilities and compliance should meet regularly with the
“Reach out and discuss the benefits of having a strong relationship
with different departments to not only help build an insider
threat program and improve security overall, but to benefit
the company as a whole,” Bissmeyer said. “Eliminating silos and
working cross-functionally is the only way to have a first-rate security
Different departments perform different investigations and
cross-communication could streamline the process and benefit
other programs such as workplace violence, business continuity,
and crisis management. All of these programs touch other departments.
Invite members from these departments to attend regular staff
meetings, and request to have someone from the security department
at their meetings. Understanding what is happening in other
departments eliminates surprises and helps each team be more
Together, establish workflows when incidents or crises are
identified. Dynamic, distributed and auditable workflows will
create a streamlined response and improve reaction time. COVID-
19 challenged all aspects of the banking business. Implementing
and workflows, along with the right technologies
will help banks be better prepared for the
This article originally appeared in the September 2020 issue of Security Today.