Beware the Inside Job

As if retail banks were not under the gun enough lately-with pressure mounting from the government, consumers, and competitors-industry observers say perhaps the worst threat banks have to consider is the one posed by their own employees.

Insider data breaches, already a larger issue for banks than for companies in other industries, are on the rise as desperate, disgruntled, and recently departed employees use their access to steal sensitive information for personal gain or just to wreak havoc. According to the nonprofit Identity Theft Resource Center (ITRC) in San Diego, reports of U.S. data breaches in general increased 47% in 2008 from the previous year; breaches from data theft by employees doubled to nearly 16%. At banks, the chances of a data breach being an inside job are even greater: Nearly one-quarter (24%) of all financial institutions’ data breaches in 2008 involved employees, the ITRC says.

The higher incidence of employee misuse of information at banks could be due to the fact that bank employees simply have access to more sensitive and valuable information. While financial firms are fortified by better security than most other types of companies, these systems are designed for the express purpose of keeping bad guys out, not necessarily watching for the threat from within. “The people that work at financial institution[s] have the access,” says Mary Monahan, managing partner at Javelin Strategy & Research in Pleasanton, California. “It’s all there.”

Most banks are understandably secretive about the exact nature of how they manage the risk of bank insiders misusing their access, or even how they terminate rights in the case of employee departure or dismissal. Kelly E. Sapp, a spokeswoman for Bank of America, says, “In regards to associates no longer at the company and their access, I can tell you all access for former associates is removed and cancelled the day their employment is terminated. This includes network, corporate information, building, phone, and all other accesses.” Spokespersons from Wells Fargo & Co., and PNC Financial Services Group declined to comment on their policies for managing risk around employee access.

But the media is already overrun with stories of banks falling prey to these enemies within. In May 2005, investigators in New Jersey broke up a cybercrime ring that included at least seven former bank employees who had illegally accessed more than 600,000 consumer accounts at four different banks-one of the biggest data breaches in U.S. banking history. More recently, a former IT contract worker for Fannie Mae used his still-active server privileges to plant a malware bomb in January, which, if it had not been discovered, would have reportedly crashed the massive mortgage operation’s computers and caused millions of dollars of damage.

Add to this scenario a deeply troubled economy, rampant layoffs, mergers, and an increasingly negative attitude toward banks (in the wake of the subprime crisis and controversy over TARP funding), and you’ve got a potent mix that is likely to fuel this particular brand of corporate malfeasance, experts say. “As soon as people hear layoffs are coming, they react emotionally. People are concerned about what to do for their next job, especially now,” says Ellen Libenson, vice president of product marketing for Symark International, an Agoura Hills, California security software company that services the financial industry. “And people who may feel they have been wronged can act out in a malicious manner.”

Vulnerable areas

Indeed, a recent study by security researchers at the Traverse City, Michigan-based Ponemon Institute found that employees are much more likely to misuse their network access if they think poorly of their employer. According to Ponemon’s survey of 945 adults who had been fired, laid off, or changed jobs in the previous year, 61% of respondents who were negative about their former employer said they had taken data; only 26% of those with a favorable view had done so.

“If they don’t like their former employer, it gives a person a sense of permission,” says Larry Ponemon, founder of the Ponemon Institute. He adds that while people who work for banks have historically had a high degree of trust with regard to their employers, the recent financial meltdown and concerns over joblessness and financial instability have shaken it. [Twenty percent of respondents to the Ponemon survey work in the financial industry. More than two-thirds (67%) of all respondents said they had used their former company’s confidential, sensitive, or proprietary information to leverage a new job.]

“It’s pretty clear that with retail banks specifically, [more recently] there [are] lots of negative feelings … and management is being viewed as being greedy,” Ponemon says, adding that this has left laid-off or even current bank employees often seeing their bank bosses as “the root cause of the crisis, rather than a victim of it.”

Furthermore, the unprecedented level of change brought about by having high numbers of layoffs and the morphing of two megabanks into one (u00e0 la Wells Fargo & Co. and Wachovia Corp. or JP Morgan Chase & Co. and Washington Mutual Inc.) could foster even more problems. Like a lion looking for a wounded gazelle, criminals will exploit this time of conversion and chaos. “Good IT people know that at times of stress, hackers see opportunity,” Libenson says. “They will look for those dissatisfied and disgruntled employees” in hopes of enlisting their help to access valuable corporate or customer information.

And bank IT departments-overtaxed and underfunded (due to budget cuts that are rife throughout the industry)-can fall prey to oversights that also allow information to fall through the cracks. In particular, Libenson points out, employees’ network credentials may not be taken away immediately, or not fully removed, allowing former employees to continue to access company networks and databases for days, weeks, or months after their dismissal. These so-called “orphaned accounts” sometimes occur because the IT departments are stretched too thin to handle the massive task of taking away access from the hundreds or thousands of employees who may be laid off in this environment.

“A massive exodus of people means you need to terminate access immediately … not everyone can do that,” Libenson says. In a survey of nearly 1,000 IT, human resources, and C-level executives Symark conducted last year, three out of 10 respondents said it takes at least three days to terminate access after an employee leaves; 12% said it takes longer than a month. Thirty percent of those surveyed said they have no procedure in place to locate orphaned accounts, and 42% of respondents said they did not know how many orphaned accounts even existed within their organization.

Libenson says the difficulty of removing credentials is further exacerbated when an employee, especially one who has been with the bank for several years or is highly placed, may have many credentials giving him or her access to dozens of applications and databases across various networks. (“Or maybe someone’s role has changed and their access was never curtailed,” she adds.) Further complicating the situation, Libenson and other experts say, is the pervasiveness of mobile or remote access to corporate networks allowed to many employees nowadays.

According to Ponemon, all these factors combined are creating “the perfect storm for the world’s largest bank data breach in the not-too-distant future.

“It will be like Heartland on steroids,” he adds, referring to the payment processor that was breached in January, exposing tens of millions of credit and debit card transactions.

Preventive measures

While the next big employee-driven breach may be a fait accompli in banking, experts say there are many steps individual institutions can take to prevent being at the center of a major incident. By following a number of procedural and technological best practices, they say, financial service providers can mitigate their risk of falling prey to nefarious employees, past and present.

Put an identity management system in place to facilitate provisioning and removal of network credentials. It’s hard to remove an employee’s access when you can’t even tell what he or she is able to access. If they don’t already have one in place, banks might consider implementing a single sign-on system that would centralize and control employees’ ability to use various networks and areas within the bank, which, in turn, would make terminating those access rights a more streamlined process. “It’s a prevention issue, and that should be first and foremost,” says Ponemon.

Create a set series of processes and procedures for removing credentials-and stick to it. At many banks, until recently, “people have relied on trust alone instead of auditable processes,” Libenson says. While most employees have no intention of stealing from or harming their employer, experts say, it is important to have a plan for how credentials are removed that is built into every employee’s departure.

Pay particular attention to the employees who could do the most damage. Not all employees are created equal. And since some-particularly systems administrators and IT security specialists, Ponemon says-likely have more access to information and the requisite skills to use that information for profit or mischief, it’s important to pay more attention to removing network access from these people quickly and cleanly. In the case of a massive layoff, human resources might stratify the different classes of terminated employees based on their level of access and skill, and handle the removal of their access accordingly. “You don’t terminate these people without a plan,” Libenson says.

Find out if your employees are taking more than their potted plants and photos with them. While it is difficult-in this age of thumb drives, laptops, smartphones, and CDs-to track all the ways an employee could be stealing information, a company still has to make the effort, if for no other reason than to discourage would-be insider thieves. According to Ponemon’s survey, only 15% of respondents’ companies review or perform an audit of the paper or electronic documents their employees take with them when they go. In cases where a review was conducted, 45% of respondents said it was not complete, and another 29% described the process as “superficial.”

Consider using data loss prevention tools, keystroke capture, or database monitoring to track who is touching high-priority data. Software tools from security system providers can track what current or former employees are reaching out to take or issue an alert when they manipulate data they shouldn’t. Case in point: Some of the employees involved in the May 2005 bank data breach were reportedly looking up 1,000 to 2,000 records per day, when their job typically required them to be viewing about one-tenth that many. Ponemon says that of all the technology to enlist to help mitigate risk, DLP software may be the most important. “Even with declining IT budgets, banks need to be more strategic in how they view this,” he says.

“During times like these, with economic challenges and cost management becoming such a key issue, [IT security] is one of the areas that could be cut,” says Doug Johnson, vice president of risk management policy for the American Bankers Association. “It’s easy to forget that this is a big issue when you have so many other things on your plate.”