Insider Threat

A recent discovery of a breach of customer data at Fifth Third Bank uncovered a troubling truth. It wasn’t hackers outside the United States that had accessed the information, it was intentionally handed over by employees.   

Starting in 2018, personal information that included Social Security numbers, addresses, and account numbers were provided by a small group of employees at a Florida location of the Cincinnati-based bank.  Fifth Third has since terminated the individuals and is cooperating with authorities to ensure that justice is served on all accounts, but it brings up yet another factor in the ongoing battle against the breach: how do you protect your clients’ businesses from their own team? 

In short answer, you cannot avoid it entirely.  Your clients have to have trust in the employees as human beings, otherwise, they wouldn’t have hired them.  But YOU can help ensure they have safeguards in place that will protect their employees well as their business.  This means that it is critical to help them establish a set of standards that ensures there is a process to provide checks and balances against any possible wrongdoing.    

 How to Prepare 

While there’s not much you can do in regards to the betrayal of one or multiple employees, you can prepare your clients for how to respond to any threats if and when they do occur – that includes both insider and outsider threats. Remind them to discuss procedures and policies openly and recommend they consider setting up an anonymous reporting system that allows potential behavior to be reported and investigated before it becomes a bigger issue.  A zero-tolerance policy is also important.  Encourage client management to conduct regular ongoing reviews to discuss the threat of participating in or ignoring behaviors that could bring down an entire business.  Many businesses don’t survive a breach.  Employees may be more likely to report a colleague if they understand that it could cost them their job as well.   

 Have a Plan in Place? 

Having a solid cybersecurity program in place is critical. That plan should include technical protections, security awareness training, policies and procedures, breach response plans, and more. This is where the benefit of having cyber insurance is critical.   

Every day the tactics and threats evolve that we must guard ourselves against in the fight against cybercriminals.  Overlooking the people “in our own house” must not be ignored in those considerations.