Keeping data in the vault: insider breach risk in financial services

By Tony Pepper, CEO. Egress

Financial services organisations are trusted with far more than just money; they are also responsible for keeping customers’ highly sensitive personal and financial data under lock and key. We’re hyper-aware that the growing value of this data means financial organisations are prime targets for malicious cyberattacks – but this isn’t the only threat they face. In fact, not a day passes without these firms’ own employees putting data at risk from within.

You might think that, when it comes to reducing overall breach risk, employees represent low-hanging fruit – surely it is easier to control the actions of a company’s own team members than it is to defend against external attackers? However, this not the reality experienced by financial firms worldwide. While external attackers are always motivated by malicious intent, the employee population is far more heterogenous and, in a sense, much more human. This makes understanding and mitigating insider risk a more nuanced exercise. Just because it is difficult, however, doesn’t mean it is impossible. It’s crucial that financial services companies shift the dial on insider risk and reduce breach frequency, because the penalties for failing to do so are becoming increasingly draconian and the repercussions from customers much more severe.

The recent Egress Insider Breach Survey aimed to understand the different attitudes towards data sharing and ownership among employees in financial services companies and the approaches that IT leaders in the sector are taking to managing insider breach risk.

We found a whole range of diverse profiles of people who put sensitive financial data at risk for very different, but very human, reasons. Some need monitoring to keep their less-than-honest traits from getting the better of them, while others need a helping hand to save them from making genuine, well-meaning mistakes. And across all respondents, we also found confusion over who really owns data, contributing to the more cavalier attitudes displayed by some.

Deliberate “data breachers” – from well-intentioned but reckless to disaffected and destructive

Our study found that the financial services sector has more than its fair share of deliberate “data breachers”. Of the thousand employees we questioned, almost a third (32%) said they or a colleague had intentionally broken company policy when sharing or removing information in the past year. This compares with just 15% of healthcare workers and 11% of government sector employees.

The reasons given for this deliberate flouting of security policy varied. One-third said they were simply trying to get their job done but didn’t have the appropriate tools to share data safely. On the face of it we might have some sympathy with those employees, but would consumers and businesses want to bank with those firms?

It’s more difficult to be sympathetic with those motivated by self-gain, including the 41% who took data with them because they were moving to a new job. And we have even less sympathy for the 15% who compromised data because they were angry with the company and wanted to deliberately cause harm.

Operator error – mobile, tired, under pressure

Even with their firm’s best interests at heart, employees still make mistakes. 30% of financial sector workers said they or a colleague had caused an accidental data breach in the past year – again more than twice as many as their public sector counterparts. A third had sent an email to the wrong person and a further third had clicked on a link in a phishing email.

Their reasons behind these breaches varied from the pressure of working in a stressful environment, to tiredness and rushing. A significant proportion, however, said they made an error due to using a mobile device – and given the current requirement for mobile remote working during this COVID-19 pandemic, this is a definite cause for concern.

Breach detection gaps and technology limitations

Next, we examined what IT leaders in the sector have in place to mitigate insider breach risk. Concerningly, 60% said the most likely way they would discover an insider data breach was via internal hand-raiser reporting by either the employee themselves or a colleague. Only one third felt that their breach detection systems would pick up the issue.

In a similar vein, traditional data protection technology use was surprisingly inconsistent across financial firms. Email encryption, anti-malware and secure collaboration software were in use by fewer than half of financial sector companies. Again, raising the question whether consumers and businesses would be willing to trust their data to financial firms if they knew they didn’t have systems in place to protect it.

So, why is this the case? From the data we uncovered, it seems as though organisations are resigned to a proportion of insider breach incidents occurring, accepting them as an inevitable result of doing business and employing people. But this doesn’t need to be the case. It is possible to apply human layer security solutions to mitigate these risk factors and make a positive impact on breach frequency figures.

Human layer security – a helping hand and a watchful eye

Take the issue of rushing or tiredness. This can lead to users adding the wrong recipients to emails or failing to spot the subtle changes in familiar email addresses that denote targeted phishing attempts. This risk can be overcome with tools that use contextual machine learning to analyse what the good security behaviour looks like for each user and support them with alerts that tell them they’ve added an unusual recipient to an email, or that they are about to answer a phishing email. A small prompt is all these users need to stop them from making an error and causing a data breach.

Similarly, when using mobile devices with smaller screens, it is very easy to choose the wrong attachment and send sensitive data outside the organisation to the wrong recipient or to the right person unprotected. If an employee is less than honest, our always-on, constantly connected culture also enables them to deliberately do so too. However, it is possible to stop these incidents with an intelligent solution that scans email and attachment content and identifies data such as personally identifiable information (PII) or bank account details to alert users that they are about to send information to an unauthorised recipient, or without the correct level of encryption applied. If the user persists, the risky email can be blocked from being sent and administrators alerted to a potentially intentional attempt to breach data, so they can respond accordingly.

Ultimately, the most effective way to address human-activated threats to security is by implementing tools that support and manage users when they are at their most humanly vulnerable; tired, rushing, under pressure, angry or self-interested. As our research and wider evidence shows, the financial services sector is more than averagely vulnerable to insider data breaches, meaning human layer security must be a priority for IT leaders in the field if they hope to reduce breach frequency and keep sensitive data firmly in the vault.