The recent Wespay Fraud Symposium brought together leaders from the banking and credit union space to discuss alarming progressions in fraud trends. While much of the content centered on external threats, Albert Laino, Risk Solutions Team Lead at Bottomline, was able to diversify the content with a discussion around Insider Threat Management-as-a-Service.
In his talk, “KYE (Know Your Employee): Navigating the Evolving Insider Threat Landscape,” Laino makes a case for advanced forms of insider threat detection – including Insider Threat Management-as-a-Service – across the entire employee lifecycle.
Highlighting the need for continuous risk assessment, robust monitoring systems, and a comprehensive approach to insider threat management, Laino also stresses the importance of application-level monitoring to promote deterrence and help provide the necessary data to implement a predictive and proactive insider threat program.
Here, we catch up with Laino just days after the Fraud Symposium for a quick Q&A about new fraud threats (especially from invisible insiders), and how to neutralize them.
Q: What themes were under discussion at the Fraud Symposium? You did something that could be characterized as mildly “disruptive” with your presentation. Tell us about it.
Albert Laino: Presentations primarily focused on external fraud in the retail banking space. However, I noticed a growing interest in addressing insider threats. My presentation aimed to shift the conversation toward the importance of continuous employee monitoring throughout their entire journey with an organization. We discussed how personal changes in an employee's life can impact their behavior and potentially increase risk exposure. This approach ensures that we can account for the natural need for ongoing risk assessment. The same rigor and scrutiny remain in place throughout the whole employment journey, just as we do during the onboarding and hiring stages.
Q: Explain the concept of the "continuous employee journey" and its importance in better fraud prevention.
Laino: The continuous employee journey is about understanding that an employee's risk profile isn't static – it changes over time. Monitoring this involves gathering and analyzing various data points such as job history, access permissions, login patterns, application usage, and so on. By monitoring these factors, we can identify potential risks before they escalate. It's crucial to have a holistic view of an employee's behavior and risk factors, especially during critical periods like promotions, life changes, or the resignation process. What makes this a no-brainer is that all of the data already exists. There is no need to bring in third-party data elements. The employee’s touchpoints with applications and individuals provide a wealth of information to be analyzed.
Q: What are the key elements of a robust insider threat program?
Laino: A robust insider threat program consists of four critical elements: procedures and policies, division of duties, and awareness training. Procedures outline how to handle potential threats and incidents. Policies set clear expectations for employee behavior and data usage. Division of duties ensures that no single employee has unchecked access or authority. Awareness training educates employees about insider threats and their role in prevention. Our research shows that only about 40% of organizations have fully implemented these elements. Even with measures in place, employees become more intimately aware of the gaps within your organization as time passes. This is why application-level monitoring is crucial. It allows us to track user activities within specific applications, providing more detailed and actionable insights than traditional network monitoring.
Q: How does Insider Threat Management-as-a-Service work? What are the benefits?
Laino: Insider Threat Management-as-a-Service is purpose-built analysis of data that can help bubble up internal threat violations to the surface. Using this approach, we are able to synthesize and analyze various data points to identify potential insider risks. The risk indicators are already developed using our decades of experience, and the library of risk indicators increases as new scenarios arise. Essentially, this service continuously monitors employee activities, access patterns, and behavioral changes. It uses advanced analytics and machine learning to detect anomalies and generate alerts based on suspicious patterns or behaviors to stop nefarious activity before it happens. It's an automated, iterative process that learns and adapts to new threats over time.
Q: What advice would you give to banks and corporates looking to enhance their insider threat prevention capabilities?
Laino: First, recognize that insider threats are a significant risk that requires ongoing attention. Most organizations we speak with surprisingly do not have material losses associated with internal risks. This is not because they have ironclad systems in place, but because they lack the tools to run the proper forensics that will allow them to see that a fraudulent event occurred in the first place. Also, change the corporate philosophy, and focus on continuous monitoring and risk assessment rather than point-in-time checks. Invest in application-level monitoring tools to gain deeper insights into user activities. Leverage data analytics and machine learning to identify patterns and anomalies that humans might miss. Regular training and awareness programs are crucial to keep employees informed about risks and responsibilities. Finally, consider adopting Insider Threat Management-as-a-Service to benefit from specialized expertise and advanced technologies without significant upfront investment. The goal is to create a culture of security where preventing insider threats is a shared responsibility.
Q: How do you see insider threat management heading in the near term?
Laino: We're seeing a shift toward more sophisticated, AI-driven monitoring systems that can analyze vast amounts of data in real time. The rise of remote/hybrid work has introduced new challenges, requiring solutions that can effectively monitor employees regardless of their location. There's also a growing emphasis on privacy-preserving technologies that balance security needs with employee privacy rights. I expect to see more integration between insider threat management and other functions, creating a more holistic approach to organizational security, fraud and compliance. Additionally, as regulations around data protection and privacy also change, insider threat management will need to adapt, ensuring compliance while maintaining effectiveness.