Insider Fraud: Work From Home Changes Data Leakage Prevention Paradigm

When it comes to the incidence of insider fraud, the story is not ending the year on a positive note. In fact, data recently released into the marketplace shows trends that are so concerning that financial institutions and the businesses they serve need to add an additional layer of technology and step up their strategy. Otherwise, they risk reputational and capital damage from the bad actors that have made insider fraud an unfortunately hot story in the fraud and financial crime space.

First, the data. According to the Identity Theft Resource Center, there have been 17% more data compromises through September 30 than there were for all of 2020. Drilling down to cyberattacks, that number is up 27 percent over last year. That’s on the more general fraud side of the ledger. IBM reports that the average cost of a data breach rose from $3.8 to $4.2 million.

When it comes to data breaches where remote work of an employee was a factor, the average cost was $1 million higher than those where remote work was not a factor. The percentage of companies where remote work was a factor in the breach was 17.5% and they took 50% longer than it would to catch a simpler data compromise.

Had enough? It gets worse for the global financial services sector. The Bank of International Settlements says that this sector has been hit worse than most other sectors saying “mass migration to WFH can make financial institutions’ staff more vulnerable. As staff work from home through firm-issued and private devices and networks, new risks may arise. In a household, multiple family members could be logging on to the same network, potentially exposing devices to malware that could then enter a firm’s enterprise environment.”

There is little doubt that work from home is here to stay – according to a McKinsey survey over 50% of employees prefer the hybrid model. Financial institutions cannot afford their current status as the most vulnerable as they arguably have the most to lose. So any company, FIs included, that placed a bet on maintaining its existing office-centric insider fraud defenses needs to reconsider its wager.

The industry needs to accept the hybrid work model and all the risks that it brings to data, actual capital, and identity. There are technological differences between a WFH insider fraud prevention approach and a hybrid work prevention approach. To understand how that extra layer of protection works, it’s necessary to know a bit about data leakage prevention (DLP).

Technically speaking data leakage is an unauthorized transmission of data to an external source. It is typically done either by transmitting sensitive data through emails and networks in general or through leaking data from the user device, for example by writing the data to a USB drive. In the traditional office environment three methods have been used, somewhat effectively, to prevent data leakage either intentional or unintentional. The first is checking log files from the company’s server, which is only effective after the breach and when used as an investigative tool.

The second is some version of content filtering, which works well for unintentional data leakage. For example, if an account manager at a wealth management division of an international bank sends emails containing sensitive customer data to a wrong recipient, that is considered data leakage, albeit unintentional. For intentional data leakage however, content filtering can be bypassed.

It works well as part of a firewall against sites available only to a pre-identified list of user names and passwords, or to scan outgoing email or IMs for data that contains social security numbers or credit card numbers. But simply writing information down from a screen that contains sensitive information, or by taking a picture of it via mobile device, can bypass content filters.

Content filtering is a network layer of DLP. Another layer (user device) is often added to protect against writing files to removable storage devices or mobile devices. As stated both used to work to some degree. But these are different times that demand an additional layer of DLP. Called an application layer, it protects against intentional data leakage that’s at the heart of insider fraud. Application layer DLP detects anomalies in the process of accessing the sensitive data, proactively addressing the breach before it occurs. Content filtering sits between the end user and outside devices or networks. Application layer DLP sits between the company’s application server and the end user, preventing those users and their customers from misusing authorized access to data within applications. It evaluates any access of employees to banking systems or other sensitive information and profiles their behavior. It can then detect abnormal access patterns that may indicate data leakage in process.

Application layer DLP is essential for the hybrid work environment. If a worker is at home, or in some other remote location it’s impossible to monitor whether he or she is bypassing DLP tools by taking pictures of screens with sensitive data. What the application layer does is monitor behavior while accessing the sensitive data (rather than when trying to leak it). Suppose a bank employee typically accesses 200 customer accounts on a typical day and is authorized to access double that amount.

The question is not one of authorization but one of how that access is helping said employee do their job. Monitoring or profiling that access behavior can be compared to the employee’s past behavior, or to other employees in a similar role. Simple content filtering could not accomplish that.

Stopping insider fraud was tough enough pre-pandemic. But the distributed workforce has accelerated its difficulty and raised the stakes of its consequences.

Adding a new layer of protection addresses this new reality and gives FIs a fighting chance against bad internal actors.

By Hagai Schaffer, Senior VP, Innovation & Technology of Cyber Fraud and Risk Management at Bottomline