We’re starting to see a pattern emerge in the reporting that financial institutions use when they’re breached. Fifth Third Bank, one of the top 20 banks in the US, is yet another high-profile organisation to have suffered a major security incident.
First Published 25th February 2020 | Latest Refresh 13th September 2022
Important Reflare Public Announcement - In the retail space of the ground floor of the Fifth Third HQ Building in Cincinnati is Grater's Ice Cream Store. Behind the counter, they carry a limited edition flavour called 'Cheese Crown', which this writer can confirm is the greatest ice cream on earth! You're welcome.
3 min read | Reflare Research Team
In this briefing, we will look at a breach affecting an Ohio bank. While this case does not have much of a broader economic impact by itself, it does serve as an example of the fundamental challenges facing smaller-sized, high-value targets.
What happened?
Cincinnati-based Fifth Third bank confirmed that some employees had stolen and passed on customer data. The recipients of the data were outsiders to the company, the police investigated the suspected culprits, and the associated employees were subsequently fired. At the time of writing, no information is available on the number of victims affected or the kind of data breached.
So with all of these details missing, why are we dedicating a full briefing to this breach? Because it is emblematic of the struggles affecting smaller enterprises with high-value targets and the never-ending struggle against insider threats.
Insider Threats
When someone that is a member of the target organisation works - either alone or in cooperation with outside accomplices or buyers - to subvert the information security safeguards of said organisation, the attack is called an insider attack.
Insiders are notoriously hard to protect against since they usually have at least some access to IT systems, and their presence in most locations won’t raise any alarms. They also know the systems and processes well. As such, they can operate with much more precision and indemnity than external attackers.
Motivations for insider attacks vary widely. Typical scenarios include a disgruntled insider aiming to damage their organisation, a malicious insider seeking to directly derive financial gain for themselves, or a bribed insider being enticed into performing specific actions by external attackers.
The issue with small, high-value targets
Fifth Third Bank is the 16th largest bank in the US. This makes it a desirable target for attackers. At the same time, their size likely causes issues when attracting talent. As we have covered in previous briefings, the available talent pool for information security work cannot keep up with the demand, and this trend is only getting worse.
Small but highly technical companies can entice potential hires with interesting work and learning opportunities. Very large companies can offer high pay and other perks to attract talent. Very small companies or companies with no attractive digital assets often coast by under the radar of attackers. But (relatively) smaller companies with high-value assets find themselves in a bind. They cannot compete on money, perks or work content, which often means they struggle in the talent market to attract the people they need to secure their systems.
Additional challenges created by the pandemic
With workforces moving partially or wholly remote, this challenge has been exacerbated during the COVID-19 pandemic. As former Bank of America CIO David Reilly stated in a recent interview:
“With remote work, the threat profile has further changed, and is driving the need for security and risk practitioners to look at quantifying the risk posed by each employee, third-party, and application access to ensure that data is protected from all aspects.”
Work from home has forced organisations to allow access to more and more critical systems from offsite locations. For the most part, this is a good thing. What hindered off-site access was usually more about non-existent infrastructure and procedures than about technical challenges and security concerns. However, insider threats are an interesting semi-exception to this pattern. For one, the remote nature of the data access means that - if done correctly - employees should only have access to a minimal subset of data. From what we have seen across the industry, the need to lock down security during remote access has resulted in significantly stricter access control measures than what was common before the pandemic. It is also easier to trick a colleague by chatting them up at the water cooler than when you are forced to leave a paper trail on Slack.
However, at the same time, once data is accessed, it has become significantly easier to exfiltrate it. Even with (hugely unpopular) measures such as the monitoring of employees through webcams, it is trivial - for example - to record what is on laptop screens in a home setting.
Summary
Insider threats are a complex problem to solve for any organisation. When combined with the difficulty relatively small organisations face in attracting talent, an attack vector is created that is almost impossible to defend.