By Renee Tarun, deputy CISO, Fortinet
All organizations are susceptible to insider threats. The latest data shows that the number of insider incidents has increased by 47% over the past two years, now affecting more than 34% of businesses. Two-thirds of organizations now consider malicious insider attacks or accidental breaches more likely than external attacks.
And organizations in the financial services sector are a prime target for insider threats because they are more lucrative for the insider. They contain the epitome of crown jewels when it comes to data that can be resold on the black market – financial and personal data. Banks store details on bank accounts, credit card information, SSNs and other government IDs, and additional personally identifiable (PII) information. And they have a lot of it! They process it, transfer it, and store it – whether in the cloud or on-premises.
In most cases, malicious insiders are driven by financial gain. They often look to steal information that can be sold on the Dark Web. While credit card data is common, cards that include a CVV code (the numbers on the back of the card) are worth much more. Banking information combined with PII is also quite valuable. But bank accounts that can transfer funds are worth the most. For cybercriminals, vulnerable banks are a gold mine, making financial services organizations the perfect target. Which is why, according to the 2019 Verizon Data Breach Report, 36% of breaches in financial services were the result of an internal threat, which is above the norm for other market sectors.
Insiders Come in Many Forms
An insider threat can be any person connected to your organization. Anyone with company information or access to sensitive information – whether financial, R&D, or customer and sales data – could be an insider. This person could be a present or former employee, a board member, a consultant, or even a bank teller or floor trader – in fact, virtually anyone with access to the office building or sensitive company information, either now or in the past.
The Accidental Insider Threat
The accidental insider is someone who unwittingly becomes an insider, usually due to careless or reckless behavior that enables the adversary. Examples include such things as a user falling prey to a social engineering attack, such as a phishing attempt, or engaging in inappropriate behaviors, like breaking acceptable use policies, installing unauthorized software or misusing assets, setting up or using Shadow IT, or leveraging unauthorized workarounds.
Careless insiders may also have their user credentials compromised by employing easy to guess passwords, writing and posting passwords written on sticky notes, using a single password for all online resources including personal and work accounts, or a myriad of other careless behaviors. All of these can and have been used by attackers to gain unauthorized access to corporate resources.
Another avenue for providing inadvertent access to online resources can be a complacent IT staff that doesn’t properly patch or configure systems or change default passwords on networked devices.
The Malicious Insider Threat
The malicious insider is someone who intentionally seeks to steal information, disrupt the network or business, or try to cause harm to the organization – there numerous examples. One of the most common malicious insiders is a disgruntled or former employee who is motivated to harm the business. Employees may also be operating as a paid agent for a third party, such as a competitor or nation-state, to engage in cyber espionage by stealing information. And, of course, employees in dire financial circumstances may be tempted to engage in malicious activity to enrich themselves.
The Remote Worker Threat
Users now working from home pose additional risks for financial services organizations that need to be accounted for. For example, users may be connecting to the corporate network through a home or public network that may not be secure. This problem can be compounded when remote workers use personal devices such as computers and printers that may not be secure and may even be used by others. And if a device is lost or stolen, it can be difficult or impossible to secure any data stored on that device.
Working in isolation also makes it easier to fall victim to social engineering attacks, as you can’t simply walk over to a supervisor or the IT department to ask whether or not something is legitimate. And with less restriction, oversight, and engagement, remote employees have increased opportunities to engage in activities that might undermine corporate trust, expose information, and put the company and its data at risk. Nefarious employees may be especially tempted to do things that they wouldn’t otherwise try to do in the office, such as attempting to gain unauthorized access to data repositories.
And from an IT perspective, increased traffic logs from external connections means more event data to review, often by overtaxed IT teams trying to manage an entire workforce in transition, which means malicious activity could fall through the cracks.
Managing the Risk
Insider threats are one of the most challenging attack vectors to manage because trusted users who require authorized access to specific networks, data, and other connected resources are also the very users who may cause damage to those same networks and data.
Addressing the challenges posed by insider risks, especially by remote workers, requires an active strategy that includes the following six steps:
- Enable Secure Remote Access:Deploy SSL VPN capabilities with strong authentication to enable employees to securely connect to the corporate network and data repositories from remote locations.
- Maintain Visibility and Access Control:Deploying network access control technologies can provide visibility, control, and automated response for everything that connects to the network. It helps IT teams discover every user, application, and device or your network. And once devices are correctly identified and classified, you can restrict user access to only those resources necessary for them to do their job.
- Protect Endpoints:As a common attack vector, endpoints need to be regularly assessed for vulnerabilities and advanced threats. They also need security solutions installed, such as EDR (endpoint detection and response) solutions that can stop breaches and malware in real-time, combined with a holistic security framework that can automatically identify, respond to, and remediate incidents to protect data, ensure system uptime, and preserve business continuity.
- Continuously Monitor: Ensure your security staff is leveraging SIEM and SOAR technologies to monitor and alert on unusual login attempts, unexplainable large data transfers, or other behaviors that seem out of the norm for systems and users.
- Encrypt Data:All sensitive data that is being stored on employee devices, as well as data stored elsewhere, should be encrypted. Otherwise, remote workers should be prohibited from storing data on their devices.
- Educate the Workforce:Employees need to be regularly educated on expectations and policies related to secure remote access. Also, provide additional awareness for good cyber hygiene and awareness of social engineering attacks via attack vehicles such as phishing, smishing, and vishing.
Rapid Change Increases Risk
Insider threats are a serious concern for financial institutions, and today the risk is higher than ever. Critical circumstances have required organizations to quickly transition to alternate work environments to maintain business continuity. However, organizations that had not prepared to move their workforce to a remote setting as part of their BCDR plans were caught trying to make a significant change in a highly compressed amount of time. As a result, even if external security controls remained in place to keep out external cybercriminals, security gaps may still have crept into your environment that can be exploited by insiders.
By refining your security protocols, including following the six steps outlined above, organizations can close the gap on insider threats so that business continuity can be maintained, and critical customer and institutional information can be protected.