The incident that reraised the question of ‘Trust’
Remember the infamous bank heist in 2016 that targeted one of the central banks in South Asia? We are not sure if we have learned any lessons from that incident.
Recently, cyber crooks performed a similar replay of the incident at a cooperative bank in northern India. This time, the culprits managed to steal INR 146 crores from the bank’s account. It is suspected that they allegedly connived with a former bank employee to do the crime.
Post-occurrence investigation shows that the victim used to count on a third-party agency that is responsible for maintaining their overall IT security infrastructure. The primary investigation revealed that the criminals breached the security systems of the bank (probably with the help of a former employee) and transferred INR 146 crores to seven different bank accounts.
The cyber vigilance cell of the police department confirmed that each and every system available in the network is password protected, so the role of an insider is highly evident.
What normally goes wrong?
Incidents of insider threats are not new. According to the 2022 Ponemon Cost of Insider Threats global report, insider threat incidents have risen by 44% over the past couple of years, with the costs of every incident rising to one-third of $15.38 million. And if we talk about the banking industry, 23% of overall cyber incidents happen due to malicious insiders.
The fact is, insiders possess the easiest opportunities to cause colossal damage to any organization. Needless to say, this has intensified in the digital age. Modern-day organizations have large IT environments, and in the case of banks, there are high chances of ‘trusted entitlement’ abuse. BFSI has always been a financially sensitive industry, and the digitalization drive has opened new doors to threat patterns.
In this context, the question that is worth pondering over is – how do cybercriminals access impenetrable IT security cordons, if there is no assistance (knowingly or unknowingly) from an insider? Being an internal employee, organizations ‘trust’ their moves, and that ‘trust’ gets abused by malicious employees. Typically, the malefactors have ample areas to exploit, and it takes lots of time to assess the anomaly. By the time it is identified, the damage is already done.
The risks stem from?
There appear to be an infinite number of areas where insider risks can begin. ARCON has identified the dominant and most vulnerable ones.
- Always-on privileged access: Privilege users have access rights to the most critical information assets. What could happen if the users enjoyed elevated rights around the clock? When there is genuinely no task, the privileged access rights might be misused. Following the Least Privilege principle is the only way to get rid of this risk.
- Hybrid work conditions: The risks of insider threats have doubled in hybrid work conditions. Employees occasionally use multiple devices to manage their work both on-prem and remotely. Organizations on the other hand, try to ensure smooth access management by allowing access to the necessary applications so that workforce productivity is maintained. Malicious insiders exploit this ‘trust’ and misuse the elevated access rights. A robust remote access solution could minimize the risk by sending immediate alerts to the risk management team.
- No Predictive threat analytics: Modern IT infrastructure is getting more complex day by day. In our latest blog (link) we have discussed why threat-predictive mechanisms should be integrated with threat-preventive solutions today. Today, continuously analyzing user behaviour is more important than deciding “who should have access to which applications and why.” AL/ML-based behavioural analytics is the only way to get alerts about any anomalous behaviour from any end-user (including the privileged user).
- Poor identity governance: Identity theft is a constant threat to the banking industry. Uncontrolled expansion of IT environments creates more identities, but very often they are not managed properly. As a result, there are chances of exploiting the rights and roles of the identities, which eventually leads to data misuse. Robust identity governance ensures the right end-users access the right resources at the right time for the right purpose, protecting IT assets from breaches and unauthorized access.
- Non-compliance: There is a standard set of compliance guidelines for the banking industry in every region worldwide. In India, the Reserve Bank of India (RBI) is the main authority for providing compliance mandates. It works closely with MeiTy (the Ministry of Electronics and Information Technology) and TRAI. The RBI has a set of compliance guidelines for banks to follow especially for access management and controls. In other words, non-compliance with RBI guidelines sets a poor access management practice in banks.
A malicious insider is a universal challenge for the banking industry and to curb that risk, timely identification of the end-user anomalies with immediate action is the only way out and that starts with robust access management.