Cyber Insecurity: Managing the Threat From Within

By Chris Bush, Head of Security, ObserveIT, a Proofpoint company

No industry experiences a higher volume of online attacks than financial services, and more than half of those attacks (58%) come from insiders (Forrester 2019). Even more eye-opening is that the financial services sector experiences the highest cost of insider threats, at $12.05 million per year.

An insider threat can happen when someone close to an organisation with authorised access misuses it to negatively impact the organisation’s critical information or systems. This makes all organisations vulnerable from the inside out. Crucially, that person does not necessarily need to be an employee – third party vendors, contractors and freelancers, and trusted business partners could pose a threat as well.

 Often, when companies think about data loss, they naturally think of it as a data problem. They prioritise visibility into data when it is really a people problem. After all, data does not move itself; people move data. Yet, employees, privileged users, or third parties must be given access to critical applications, systems, and data to do their jobs effectively. So, what can companies do?

 As a first step, it’s vital to understand what motivates an insider threat. By knowing what types of insider threats are within your organisation, along with their potential motivations and characteristics, it becomes easier to identify if and when your organisation has become a victim of an insider data breach or incident.

 Perhaps the most well-known insider cases to those in the financial services world are those that are driven by malicious intentions. For example, as a front office employee is jumping ship to a competitor, they decide to take proprietary trading strategies or client research with them to their next employer by exfiltrating that intellectual property via email, printing the files or using a USB drive. In the hedge fund and proprietary trading world, significant sums of money and competitive advantages are at stake when malicious insiders get away. Even in the back office, privileged users may attempt to manipulate trading systems or reconciliation servers for financial gain or due to professional frustration.

Yet, many insider breaches are also caused accidentally, driven principally as a result of negligence or poor security hygiene. Just think for a moment about how a well-meaning quantitative code developer may mistakenly leave servers in the cloud unprotected. Equally, in the modern age, convenience often overpowers almost all else. If your cybersecurity policies, tools, etc. make it difficult for insiders to do their work in a quick and efficient manner, they will likely look to circumvent the in-place systems. And, lest you believe these accidents are trivial, negligence-based insider threat incidents are 3 times more frequent than malicious insider activity and waste endless hours of your Security Operations team to remediate. By the way, such accidents also cost organisations an average of $3.8 million per year.

 Whether intentional or accidental, it’s understandable that user-posed risks to critical IP leave many financial management firms worried about insider threats. However, there are many ways companies can be empowered protect themselves from the inside out. Insider risks can be identified and eliminated when companies choose to invest in a people-centric Insider Threat Management strategy – one that is driven by technology, offering complete visibility and context into what users are doing when, where, why, and how – but also supported by policies and processes that empower employees and trusted insiders to be part of the solution, and not the problem.

When it comes to technology, financial service firms are often run by mature security programmes with a focus on lean efficiency. These demands heighten the need for comprehensive insider threat detection systems that can catch insider threats from both classic vectors (like email, print jobs, USB usage) and newer technologies (such as file-sharing apps, cloud storage sync jobs, and more).

In theory, traditional endpoint DLPs can look like the answer but what they fail to detect is the worrying or strange changes in behaviour or out-of-policy conduct that indicates either a malicious or negligent breach in motion. DLPs are heavy on endpoints and don’t provide enough context into both user and data activity. Similarly, though many SIEM or UEBA can detect anomalous user behaviour, they cannot correlate the critical IP with specific users to tell the whole security story of what happened to cause the breach.

Companies need solutions that provide full, granular visibility into the who, what, and why behind any breach. With solutions that deliver the full context around user and data activity, security teams can separate accidental from malicious activity and appropriately respond either through prevention technologies, user education or more punitive measures. Crucially, with this deep-dive information, businesses can put changes into action to prevent the situation from occurring again in the future and save valuable time. It might come as a surprise to learn that, on average, it takes a significant 72 days to contain an insider threat. It can take weeks, months, or even years to piece together what happened without the right tools.

Ultimately, quickly detecting and containing the insider threat is essential to managing both data security risk and the subsequent expenditure that comes with limiting the impact of a breach on the company’s bottom-line. With the right detection and prevention technology, plus supporting policies and processes in place, exposure to unnecessary risk is significantly reduced. Another positive is that with complete visibility into all activity on your network, organisations can not only catch and stop insider threats, but meet and surpass all compliance and regulatory requirements with ease – a big plus for those in the financial services sector.