Consumer confidence in the banking and financial industry is at an all-time low. According to a 2016 Gallop poll, consumer confidence fell from 49% to 27% over the last decade, the largest drop seen in any industry. In addition to the erosion of consumer trust, regulators are fining major financial companies such as Bank of America, JP Morgan Chase, and Wells Fargo for billions of dollars for regulatory failures.
The importance of securing assets and consumer data is top of mind in the financial industry. The nature of financial services requires the gathering and storing of sensitive customer information and the necessity to secure this data. To address these issues, in 2018, companies will spend upwards of $93 billion on security.
Addressing security issues involve measures to protect against cyber threats, external physical threats, and internal threats. The latter is often the most difficult to combat because companies design the hiring process to screen employees. Yet, a disgruntled or ex-employee can compromise existing systems and present threats to data security. The best processes and procedures are designed to keep outsiders from infiltrating the system. Inside jobs require a different level of protection.
The Problem: Difficulty in Addressing Internal Security Threats
Companies design an onboarding process to screen future employees and eliminate those who could bring trouble. However, when it comes to internal fraud and security breaches, often the most tenured and trusted employees are the culprit. Whether the breach is intentional or accidental, financial companies experience major losses each year due to internal security failures costing the company in terms of quantitative losses and consumer trust.
According to the Cyber Security Intelligence Index, 60% of cyber security failures come from within the company, making it the biggest threat of a security breach a financial services company faces. In addition to that, financial services saw the largest incidents of employee theft, accounting for 21% of reported thefts among banks, credit unions, and insurance companies, with the average loss of $842,403. Insurance often does not cover employee theft, leaving companies vulnerable to financial losses they will never recover.
Progressive Insurance reports that approximately ½ of all bond claims among financial institutions involve internal theft. Employees know the systems and company protocols. They have access to cash, customer data, and other sensitive information, along with system vulnerabilities. Insider knowledge often allows them to cover their tracks, making it difficult to detect. The longer the theft remains undiscovered, the more the employee can steal. Internal theft can come from tenured employees and occur over the years rather than days or months, as often happens in external fraud cases.
The Solution: Control the Opportunity
Financial Companies cannot control what goes on in employees lives outside of work, but they can control the opportunity. Having appropriate policies and procedures in place in addition to checks and balances can reduce the opportunity employees have to steal from the company undetected.
The Problem: Disgruntled Workers and Former Workers Leaking or Stealing Information
Malicious attacks within financial companies account for 75 percent of losses. Intentional internal fraud comes in two forms those who plan to steal money or information for dishonest purposes and those who capitalize on an opportunity.
One example is a professional hacker contacting a bank employee offering bribes in exchange for passwords or access to data, allowing thieves to steal information. Another example is a loan officer who partners with an attorney creating a scheme to extend fraudulent loans to fake consumers. Low paying jobs, such as teller positions, are particularly vulnerable to insider fraud.
As financial companies increase security, thieves are more inclined to approach current employees as partners or to trick employees to inadvertently giving the thief access to sensitive information. Criminals with the knowledge to make money from stealing data connect with employees who serve as the access point.
The Solution: Evaluate Current Security Protocols and Improve Automation
Security protocols allow employees access to certain areas and information in the course of completing their job efficiently. Evaluating what security clearances employees should have is the first step to closing the loop on internal fraud.
Potential steps can include limiting the information and access of employees. For example, requiring two team members present when opening and closing the vault adds both internal and external security. No one person has access to the cash held overnight by a bank.
Another protocol might be to cancel access to the building, systems, and key information at the time of termination. For example, when an employee has access to a physical key, they can reproduce the key at any point in their employment. On the other hand, companies using electronic access systems, allow managers to cancel access immediately upon termination. Whether the company stores information in computer files or file cabinets, immediately canceling access are critical in preventing former employees from stealing data after termination.
The Problem: Inadvertent Leaks
Lack of security expertise can lead to losses in financial institutions. The average employee does not connect everyday actions with theft and vulnerabilities. Whether an employee inadvertently downloads a file, releasing malware into the system, sends secure information to their home networks, or leaves file cabinets containing secure information unlocked, the action can have long-term consequences for the company.
Human error includes everything from a misaddressed email, to giving customer’s access to another customer’s personal information. For example, a loan officer might leave a physical file on their desk before a client meeting or may have a company-issued laptop stolen, giving thieves access to confidential information.
The Solution: Improve Training and Automation
Financial companies put protocols in place to address the issue of security. However, in the day to day operations employees may not regularly follow those protocols if they find them inconvenient. Common shortcuts include leaving file drawers containing sensitive data unlocked, sharing passwords, and allowing multiple employees to use a computer without resigning in. Each of these actions makes the employee’s job easier but opens the door to a security breach.
In addition to ongoing training, automating security processes will improve execution. For example, installing electronic locks on drawers and file cabinets with an auto-locking feature will prevent anyone from gaining access because an employee failed to secure the location.
Financial institutions face a range of challenges when it comes to security. Companies must consider both internal and external threats from both intentional and unintentional sources. Senseon helps safeguard both money and customer data to reduce the risk of a security breach.