Insider Threat in Indian BFSI: Detection, UEBA, HR Coordination

Last updated: April 26, 2026

Insider threats in Indian BFSI account for 5-8% of incidents — small percentage, large impact. Disgruntled employees, contractors with retained access, financially-stressed operators with admin privilege. This article covers detection patterns, the UEBA + DLP stack, and the HR-coordination workflow for sensitive investigations.

The insider categories

• Malicious insider — intentional theft, sabotage, fraud (rare but high-impact)
• Negligent insider — accidental data leakage, password sharing, USB use (common)
• Compromised insider — phished or recruited externally, then operating from within (intermediate)
• Departed insider — former employee with retained access (frequent)

Detection patterns

Anomalous data access

-- Sudden volume increase in DB queries
SELECT user_id, query_count, baseline_count
FROM (
  SELECT user_id,
         COUNT(*) FILTER (WHERE query_time > NOW() - INTERVAL '7 days') AS query_count,
         COUNT(*) FILTER (WHERE query_time BETWEEN NOW() - INTERVAL '90 days' AND NOW() - INTERVAL '7 days') / 12 AS baseline_count
  FROM db_audit
  GROUP BY user_id
) AS stats
WHERE query_count > baseline_count * 3
  AND query_count > 50;

-- Access to records outside normal scope
-- (employee's normal scope = their assigned customers / region)
SELECT employee_id, customer_id, access_time
FROM customer_access_log
WHERE customer_id NOT IN (SELECT customer_id FROM employee_assignments WHERE employee_id = customer_access_log.employee_id);

Anomalous outbound

-- Large data transfer to external destinations
SELECT user_id, dst_domain, sum(bytes_out) total_bytes
FROM proxy_logs
WHERE _time > NOW() - INTERVAL '30 days'
  AND dst_domain NOT IN (SELECT domain FROM business_destinations)
GROUP BY user_id, dst_domain
HAVING SUM(bytes_out) > 500*1024*1024;  -- 500MB

-- USB / removable media usage
-- (Sysmon Event 6416 / similar telemetry)
SELECT user, device_id, file_count, total_bytes
FROM endpoint_usb_telemetry
WHERE event_type = 'usb_mount'
  AND _time > NOW() - INTERVAL '30 days';

Behavioural anomalies

• Login outside normal hours (especially evenings/weekends)
• Login from new locations / devices
• Privileged access spike
• Email forwarding rule changes
• Mass document download from SharePoint / file shares
• Resignation / termination notice + access pattern change in following weeks

UEBA platforms

User and Entity Behaviour Analytics tools (Splunk UBA, Microsoft Sentinel UEBA, Exabeam, Securonix) ingest these signals and produce risk scores per user. Investigation workflow:

• Daily review of top-N highest-risk users
• Specific risk threshold triggering escalation
• HR + Legal involvement before subject is contacted
• Forensic-grade evidence preservation if action will be taken

HR + Legal coordination

Insider investigations differ from external — the subject is your colleague. The runbook:

1. Initial detection by SOC / fraud-monitoring team
2. Escalation to CISO + Head of HR + GC
3. Joint-team investigation (Security + HR + Legal)
4. Contemporaneous documentation (every decision, who attended, what was said)
5. Subject not directly contacted until evidence is sufficient and decisions made
6. If termination: simultaneous access revocation + interview + handover plan
7. If law enforcement: coordinated with GC + external counsel

The departed-employee gap

Common finding: ex-employees retaining access for weeks or months due to incomplete offboarding. Detection:

-- Cross-reference HRIS terminations against AD account status
SELECT t.employee_id, t.termination_date, ad.account_enabled, ad.last_login
FROM terminations t
LEFT JOIN active_directory ad ON t.employee_id = ad.employee_id
WHERE t.termination_date < NOW() - INTERVAL '5 days'
  AND ad.account_enabled = TRUE;

Mitigation: HRIS → IAM integration with same-day account disable. SaaS deprovisioning automation. Quarterly access review.

The takeaway

Insider threats need a different detection mindset than external. UEBA + DLP + HR/Legal coordination + offboarding rigour together close the gap. The financial impact of one well-executed insider event can exceed multiple external breaches; the investment in the program is justified by the long-tail risk reduction.