"In my opinion, it is a real threat," Gene Fredriksen, chief information security officer for the St. Petersburg, Fla.-based PSCU, said. "I spend a lot of time looking at intelligence, threat vectors, where things are happening, where fraud is happening. There is a big focus on leveraging insider people."

A recent example of internal data misuse involved the hacking of bank customers of the international monetary network SWIFT. The FBI reported at least one bank employee was involved in one incursion resulting in an $81 million theft.

"It can happen anywhere. If a trusted insider is helping commit a crime, there is not much that can stop it besides advanced threat detection, behavioral analytics, privileged management and strict change control," Morey Haber, vice president of technology at the Phoenix-based BeyondTrust, said.

The threat of occupational fraud continues to increase.

"The problem has exploded beyond the means of control and effective monitoring for security and fraud prevention staff to manage," Yong-Gon Chon, CEO/director for the Tampa, Fla.-based Cyber Risk Management, said. "At community financial institutions, it is an even tougher problem as budgets and staff are smaller and not necessarily commensurate to data growth or volume."

Internal threats come in two flavors: Malicious and unintentional, Ondrej Krehel, founder/CEO of the New York City-based LIFARS, noted.

"The insider threat is prevalent since most employees do have access to the data," he said.

According to the Verizon report, privilege abuse is at the top of the threat list and 63% of successful attacks involved the use of credentials to gain privileged access. Data mishandling – typically not a malicious activity – follows, with unapproved hardware and software as the third and fourth most common types of data misuse.

In one case in February, the FDIC detected and moved to mitigate a breach of 44,000 customer records after an employee leaving the agency inadvertently downloaded the data to a removable media device. Three months later, the agency reported to Congress that five additional major data breach incidents had occurred since Oct. 30, 2015. In each case, employees with legitimate data access left the agency and inadvertently downloaded personal data.

"It is considerably more dangerous for people to bring in their own laptops to work," Eldon Sprickerhoff, chief security strategist at the Canadian cybersecurity firm eSentire, said. "A company can mandate a certain security policy or posture with software, patch updates and so on. But, they can't really mandate that on machines that come in; they're outside of the IT department's purview and control."

Once a machine has been brought inside and infected, it becomes accessible to an external hacker, as the firewall – the organization's primary defense mechanism – will have been breached, Sprickerhoff pointed out.

Ryan Kalember, SVP, cybersecurity strategy at the Sunnyvale, Calif.-based Proofpoint, said his firm's research showed cybercriminals are actively exploiting human error and curiosity.

"We recently observed a sharp growth in attachment-based email attacks that play on the user's lack of awareness to steal corporate information," he said.

In April, FBI officials warned of a dramatic rise in business email compromises, in which hackers impersonate executives, trusted individuals or vendors to target internal employees with access to financial or sensitive employee data.

According to Proofpoint, malicious emails increased by 66% during 2016′s first quarter compared to the last quarter of 2015.

Kalember explained these attacks typically entice users to open attachments and click a button to turn on macros. Then, the malicious macro downloads a Trojan, launching an attack.

Hackers can then potentially steal credentials, transfer funds using compromised credentials, or cripple the entire financial institution's IT infrastructure by encrypting critical information until a large ransom is paid, Farokh Karani, director of North America sales and channels for Quick Heal Technologies, pointed out.

Ransomware can lead to a perfect storm that demonstrates multiple gaps in an organization's security stance, Sprickerhoff noted.

Usually, an infected document passes undetected through mail servers past a user's anti-virus system. Not only does it take advantage of a gap in security training, it might also infect more files than necessary because the user had broader access to files than he or she should have, he said.

Security technology and education can help financial institutions monitor all types of internal fraud. To combat wire fraud, Alma Angotti, managing director for the Chicago-based Navigant's Global Investigations and Compliance practice, recommended implementing very tight rules around the wiring of account funds, requiring a valid letter of authorization and training staff to scrutinize possible red flags.

Karani recommended IT departments add layers of protection, such as anti-spam systems to filter out phishing emails, and scanning attachments for malware at the server level. He also suggested implementing anti-virus and data loss/leakage prevention systems to keep corporate data secure on all desktops and laptops.

"Reducing the number of inbound phish, assessing clicks at click time regardless of whether users are at their desks or on mobile, and supplementing legacy email gateways with targeted attack protection and automated threat response are all crucial aspects of a modern security posture," Kalember said.

He added credit unions must invest in detecting insider accounts that behave oddly, in addition to solutions for inbound threats, and identifying and quarantining sensitive information.

"Doing fraud analytics can be a very powerful means of identifying anomalies across user data," Chon said, adding that fraud analytics often require the fusion of multiple disparate sources of information to identify patterns of behavior that can lead to pinning down suspicious activity.

"Good defense against employees starts with having a healthy level of suspicion toward all employees," the Verizon report stated.

Promoting user awareness, including helping users understand the value of the information they process, and education can help prevent accidental breaches as well as targeted and advanced attacks, the Verizon report noted.

Sprickerhoff provided a checklist to help financial institutions ensure their cybersecurity essentials are covered, which includes:

1. Recognize how most common successful attacks are initiated.

2. Publish an acceptable use policy.

3. Enforce a rigorous password policy.

4. Minimize the number of users with administrative privileges.

5. Ensure patching is up to date and done so in a timely manner.

6. Ensure all security infrastructure is updated and running properly.

7. Ensure backups are regularly performed (and tested).

8. Log system accesses, and regularly review and look for anomalies.

9. Implement a continuous monitoring methodology.

10. Don't forget about physical security (such as locked doors and encryption).

Credit unions can no longer believe they are too small to worry, Sprickerhoff said.

"The bad guys don't care if it's a big company or a small company when they can get $50,000 in a shot, whether by email spoofing or ransomware," he said. "The less protected a firm is, the better for them. The easier the better."