Data Loss Prevention
15 Ways Banks Secure Their Data From Insider Threats

15 Ways Banks Secure Their Data From Insider Threats

In the finance industry, where lots of information is sensitive and can be used for identity theft, security against insider threats is especially critical.

But it’s not always easy to circle the wagons in ways that would completely foil hackers, or, alternately, people inside of a banking or finance institution who may want to undermine their employers, say, for revenge or commercial gain.

Banks have to always be looking for cutting-edge ways to harden network security, protect data and shield clients from harm. They have to understand the nature of insider threats that so often emerge in these types of companies.

Challenges with Insider Threat Deterrence in Finance

Finance companies do have some pretty tough hills to climb in terms of foiling insider threat threats.

The underlying problem has to do with access. The companies have to give access to a certain number of people in order to support operations. In other words, you can’t just sit data in a fortress and lock everyone out. People have to be able to do their jobs.

But what experts are finding is that in data breaches and insider threat cyberattacks, people are often the weakest link. A vast number of successful attacks have to do with either recruiting employees with legitimate access to systems, or tricking these people into giving up critical data.

Then, too, modern systems have become more complex. In the old days, many companies used a firewall and other basic perimeter security tools to keep hackers out. But the fabric of cybersecurity and network systems has become a lot more complex these days. 

So how do banks make sure that they are doing all they can to protect against insider threats?

Three Types of Insider Threats

To start, there are three common types of insider threats that financial companies and institutions face.

The first one is an intentional or malicious attack.

This is where some active employee has a grudge against the company, or turns traitor due to financial incentives or for some other reason. Then they use their legitimate credentials to attack the company.

For example, J.P. Morgan Chase’s Peter Persaud sold personal identifying information (PII) and PIN numbers to outside parties, and many of the accounts were later targeted. Persaud received a sentence of four years in prison in 2018.

Or there’s this case, where TD Bank employee Janelle Digby, a call center representative, worked with co-conspirators to hand over sensitive client information. Another party associated with Digby got people to open new accounts at the bank for the purposes of defrauding the institution and taking money out of the bogus accounts.

The second type of threat is an unintentional attack that can be called “negligent.”

Here, employees aren’t trying to hack the company, but the outsiders persuade them to turn over information through some kind of deceit or trickery.

How does this work? A telling case involving giant bank HSBC provides some detail. Here’s how a reporter put it in coverage at the Royal Gazette in 2017:

“HSBC Bermuda yesterday apologised after it e-mailed personal information on customers to other account holders.The e-mails contained names, e-mail addresses, countries of residence, the name of the customers’ relationship manager and HSBC customer identification numbers.”

In these types of cases, the latent information can then be used by unscrupulous parties to conduct attacks, which is why HSBC’s release was so grievous.

A third kind of insider threat involves recruitment where outsiders get insiders to flip or turn, to accomplish their objectives.

Late in 2021, the US District Court for the Eastern District of Virginia saw three men charged with money laundering and other crimes, in a case where they allegedly sent false emails to an employee so that they could get access to real transaction information. One of the accused reportedly was found to have worked at Bank of America for some time from 2015 to 2018. Coverage of this incident shows how the hackers had to deceive employees close to the banking transactions.

Whether it’s a malicious insider attack, a case of negligence, or a recruiting setup, the results are still devastating, so businesses have to be on the lookout for all of these scenarios.

How To Protect Data from Insiders of Each Type

The big question is how to ward off each of these three types of insider threats.

Each of these scenarios is different, but all three have some similarities. Some of the same tools, techniques and methods will protect the company against unintentional, intentional or recruiting attacks.

Let’s go over some of the top recommendations from cybersecurity experts that keep companies and their data safe..


In the security world, people are realizing that multifactor authentication (MFA) is one of the most important types of innovations out there in separating legitimate users from imposters and frauds. That’s because MFA ensures that the person is verified when they log into a system. 

When a user logs on to a desktop system, the network can request an access code and send it over the smartphone. That way somebody can’t impersonate a user unless they’re actually carrying that person’s mobile device, which is unlikely.

Multifactor authentication is a gateway to more ironclad security for finance company networks.

Some of these other best practices piggyback on this major adaptation.

Audit Trails

In the finance industry, businesses are required to provide proof of their regulatory compliance, which is often done through providing logs and audit trails. Aside from satisfying regulations, audit trails give organizations insights into the exact details of actions taken on a system or relating to particular data. 

While auditing isn’t likely to stop an insider threat before it happens, audit trails provide continuous information about the company’s security hygiene. The information provided in these audit trails can also be used by SOC teams to inform their threat intelligence and research, a vital part of any well-rounded cybersecurity approach. The logs and reports contained in an audit trail also provide key information about user and endpoint activity that may help to prevent subsequent attacks, thin an attack surface, and harden systems.

By having breakdowns of activity via audit, organizations are able to better pinpoint vulnerabilities that exist in their current systems and users in order to address them before an attack occurs. 

User and Entity Behavior Analytics

Creating secure baselines involves the process of showing what’s typical for user and endpoint behaviors and then protecting against activities that fall outside of those established behavioral norms. User and entity behavior analytics, or UEBA, is a tool financial institutions use to detect anomalous behaviors that fall outside of what’s considered baseline behavior.  For example, a monitoring program might show that employees

typically access an app between certain times of the day like 1pm and 3pm  in the afternoon. Then if the program shows an unusual sign-on at, say, 2:00 a.m, the system will alert administrators to let them know unusual activity has been detected. 

This simple example comes alongside many different types of logical and heuristic analysis that can catch evidence of suspicious behavior, and go several steps beyond simple behavior monitoring.

Data analysis is an extremely powerful tool for data security that can foil all sorts of cyberattacks, help with mitigation and detection, limit dwell time and make a company much more agile in its security posture. Termamind’s robust behavior analysis helps clients to fight threats comprehensively, with modern approaches.

IAM and Principle of Least Privilege

Identity and access management, or IAM, is a critical part of data security for banks and finance businesses. With IAM, firms can figure out permissions and access for each individual person deliberately, and have a lot more control over who’s using what tools, accessing what data, and how. The principle of least privilege is part of this, and a helpful way to protect systems and data against anything from a simple data breach to a situation where someone tries to inject malware deep into a network. 

Think of IAM as similar to a very specifically programmed set of key cards for a set of hotel rooms: if some malicious person wanted to get in and do anything to one of the rooms, their success would rely on their ability to enter, attack and leave, without people knowing that they were there. IAM in IT shines a light on the sort of cat burglar work that most cyberattacks require. 

Roughly, the concept of the principle of least privilege translates to the phrase “a need-to-know basis.” Essentially, planners are working from the basis that each individual user will only have access to what they need in order to perform their particular job role. For example, if sales people don’t need access to certain technical specs, but engineers do, a “least privilege” feature would be to restrict that data by job type, and lock the data away from the sales people, while permitting access to the engineers, who use it as part of their jobs. 

The alternative is a wide-open system where everyone shares all data, which creates more vulnerabilities in general.

Risk Assessments

Risk assessments are also valuable in data security. In fact, conducting risk assessments is one of the pillars of a NIST insider threat program, as presented by this federal agency.

In data security risk assessments, professionals map data to applications, assess risk, and remediate vulnerabilities. They will typically look at risk associated with specific categories. For example, they may take a specific look at risks related to collaboration tools. Or, they may look at different ‘states’ of data – for instance, data in transit, or data at rest in archives. And they may spend particular attention on other auxiliary pieces of business operations such as third-party service accounts.

Password and Biometric Hygiene

Everywhere, IT people are calling for strong passwords…

Password and biometric processes can be a weak link in the data security chain. So this aspect of operations commands its own attention in terms of figuring out how to curb insider threats and cyberattacks.Weak passwords are one of the most common attack vectors when hackers can’t find a clawhold on a system any other way: when passwords are weak, hackers can use things like brute force attack to “guess” them, and infiltrate the system. Then they can do a lot of damage, because system defenses (and human observers) assume the person is legitimate – after all, they have the password! But when the password is “123” or “password,” it’s just as likely that a black hat entity is running amok in the company network. 

Decommissioning and Deprovisioning

Many experienced security pros understand that when systems get overgrown or poorly organized, risk increases significantly.

Companies hit hard by data breaches and insider attacks have learned to quickly decommission an outgoing employee’s accounts and tools. Leaving that access open gives disgruntled employees or other former workers ways to attack that would otherwise be closed off. Decommissioning old systems also changes the attack surface of the network, and makes it easier to see what’s going on inside of it.


This is a major part of insider threat programs.

Training staff is critical for all sorts of data protection. But there are different kinds of training that companies pursue.

For example, it might be useful to spend a portion of training time on equipment-based training – the threats that mobile devices and Internet-connected machines may pose for the company, and how to separate personal device use from company work.

Companies may also train employees on best practices around social engineering attacks.

One example is training employees to recognize suspicious links and vetting any communications with outside parties. Some of the most successful insider attacks happened when hackers were able to convince employees that they were dealing with a trusted party, when in fact, they were really dealing with an imposter.

In addition to these two types of training, companies may spend a lot of time putting employees through context training. That’s where employees learn about all of these other processes, for example, IAM, password and biometric hygiene, insider threat programs and more. As employees learn more about security landscapes, they get more savvy about what it takes to protect systems.

Insider Threat Programs

Experts often consider a business to be more poised to fight insider threats if that company has a formal insider threat program put together. NIST lays out some guidelines, including things like risk assessments and the principle of least privilege (as mentioned.)

Secure Infrastructure and Secure Processes

This combined category is a bit broader, and goes to some of the methods around company training mentioned above.

It’s a dual approach – protecting the hardware and network structures that are used, and at the same time, monitoring employee behavior and processes to make sure those are safe as well. For example, banks with finance data on specific servers (and/or data about customers, like social security numbers, bank account numbers, etc.) should figure out whether those servers can be accessed by some back end method, and set up firewalls or other systems to protect those specific pieces of hardware. Or, companies can assess security for virtual machines and components of cloud systems that constitute the hardware in a distributed computing setup. 

Continuous Communication

This is another broader category where security experts might explain that more communication leads to better transparency. As with so many types of business processes, more communication helps everyone to understand the goals and how they are being achieved.

Employee Behavior Monitoring

In general, companies will want to have systems on hand that will observe data activity within the network, whether that involves employees, contractors, vendors and suppliers, or anyone else. The monitoring helps show when a black swan event or suspicious activity may constitute an insider threat, and the business can then move proactively to try to stop any such attack that happens.


Under the principle of continuous communication, push notifications and alerts help show people whether something is happening that they should be aware of and concerned about. That may also factor into a broader insider threat program.

Endpoint Analysis

Endpoint analysis has been a prominent part of business cybersecurity for many years.

In the past, companies used to glue USB ports shut to prevent simple data theft with a flash drive. But especially in these new times, endpoint security goes far beyond that to identifying where network is endpoints can release sensitive data.In the above ways, businesses achieve cybersecurity principles that keep their data from black hat actors and malicious parties. Teramind’s deep-level behavior analytics platform provides much of that overall monitoring and business intelligence that stops threats in their tracks, rewarding companies with proactive security mindsets.

Get robust endpoint protections and total visibility of
user actions with Teramind