CYFOR Blog

The risk of Insider Threats within the finance industry is a prevalent trend that has grown in significance due to data theft and financial fraud.

Insider Threats are faced across all industries; however, the Financial Services industry has always been a primary target for financial fraud and data theft. In this highly regulated environment, Financial Services organisations are trusted not only with individuals’ finances, but also keeping customers’ highly sensitive personal and financial data secure. Any legitimate threats can lead to detrimental impacts such as financial losses, data leaks, regulatory fines and damage to brand reputation and customer perception.

The average cost of a data breach within Financial Services is among the highest of any industry, at $5.85 million USD, according to the Veronis 2021 Financial Data Risk Report. The 2020 Ponemon Institute Cost of Insider Threats Report also found that the frequency of Insider Threats has risen by 47% over the last two years, and increased in cost by 31% since 2018. Furthermore, the 2020 Verizon Data Breach Investigation Report states that 30% of all breaches were caused by an Insider Threat. These statistics paint a picture of the internal employee-centric risks present for Financial Services firms.

Insider Threats are defined as malicious individuals that pose a risk from within an organisation. These can come in many guises including current employees, former employees with active system credentials, and contractors who have proprietary information regarding internal protocols, security practices and computer systems. Insider Threats pose a higher risk than external threats as they already have a working knowledge of a company’s data protection methods, security practises, and have organisational trust which allows them to bypass these more easily.

Intentional Insider Threats to Financial Services

Financial Services organisations are an attractive target for malicious insiders, with financial fraud as the primary motive. However, it should be noted that there are various types of Insider Threats.

• Departing employees

It is common for departing employees to leave their employment to either join a competitor or set up on their own, stealing data in the process, and despite any NDAs they may have signed. A study conducted by the Ponemon Institute identified that 59% of employees who either resign or are asked to leave, subsequently take confidential business information with them. The study also found that 65% of respondents admitted to taking proprietary and confidential data that could affect their former company’s business competitiveness and result in a data breach.

• Disgruntled employees

Disgruntled employees may come into conflict with their employer and may become an Insider Threat by seeking vengeance and exploiting company data. This could happen in the form of data deletion or corruption and exporting/selling proprietary data such as client data or financial information to a competitor or on the dark web.

• Industrial espionage

Whether it is for financial gain selling company intellectual property or gaining an advantage at a competing organisation, a malicious insider committed to industrial espionage can cause significant damage.

• Malicious Insiders

It can be challenging to detect a malicious insider as they are usually highly self-motivated and with their privileges, they can access private information for financial gain, often remaining undetected for a lengthy period. Many malicious insiders have specific network privileges that enable unrestricted access to client or business-sensitive financial information, which they may steal, destroy, or release.

Types of data can include:

• Trade secrets and intellectual property
• Company passwords and usernames to sensitive systems
• Private employee records
• Customer CRM databases
• Strategic business plans
• Financial records
• Email lists.

Methods of insider data theft

• Copying data to external storage devices
• Uploading data to cloud storage systems
• Sending data via email or messaging apps
• Taking photographs of core information
• Printing valuable company data information

Non-intentional Insider Threat

While insider data theft is assumed to always be intentional, this is not always the case. Within the realm of cyber security, an employee behind the data theft may have been exploited by cybercriminals as a weak link within an organisation. For example, hackers may use compromised accounts, credentials, or personal devices of careless victims to get a hold of the information they need. Other reasonable explanations include:

• Employee negligence
• Poor cybersecurity practices of a third-party vendor
• Susceptibility to social engineering
• Negligent or inadvertent users
• User credential theft

Using a compromised account, cybercriminals can hide in plain sight on a company network and may go unnoticed for weeks, months, or even years. The more access rights the compromised account has, the greater the potential damage.

How to detect an Insider Threat

Whether digitally or in person, there are common behavioural traits that can indicate an active internal threat. These indicators are important for employers to monitor, detect, and halt potential Insider Threats. While behavioural warnings can be an indication of potential issues, digital forensics and analytics are the most efficient ways to detect Insider Threats. They assist in detecting potential Insider Threats, analysing, and alerting when a user behaves suspiciously or outside of their typical behaviour. Here are common insider data theft indicators:

Digital Warning Signs

• Downloading or accessing substantial amounts of internal data
• Accessing sensitive data not associated with their job function
• Accessing data that is outside of their unique behavioural profile
• Multiple requests to access resources not associated with their job function
• Usage of unauthorised storage devices such as USB drives
• Network crawling and searches for sensitive data
• Data hoarding, copying files from sensitive folders
• Emailing sensitive data outside the organisation

Behavioural Warning Signs

• Attempts to bypass security
• Frequenting the office out of hours
• Displays disgruntled behaviour toward co-workers or management
• Violation of corporate policies
• Discussions of resigning or new employment opportunities

Defending against Insider Threats

As Insider Threat becomes more problematic, organisations need to take proactive steps to secure their proprietary data. There are security methods that can be deployed to decrease the risk of valuable data being stolen by an internal actor as well as cybercriminals:

• Employing a comprehensive set of policies and procedures such as an Acceptable Use Policy. This governs the use of all company assets and includes safeguards and policies that assist in the prevention of data theft.
• Evaluate and classify all systems and data so that you know what assets in your organisation have the greatest value and are most likely to be a target.
• Consider creating a list of critical systems and use it to build a thorough and effective data security governance policy. Make sure to periodically re-evaluate this list and the policies based on it.
• Remove ‘admin’ privileges from unnecessary employees on company networks. This restricts user access and privileges to those proportionate to their role and seniority.
• Restrict USB port access so external storage devices cannot be used to copy data unless authorised. This restriction should also be applied to CD/DVD drives.
• Consider deploying software that can block websites that may be malicious, are not required for business operations or may allow for easy, the un-monitored transmission of data.
• Incorporate a Forensic Readiness Plan to ensure business continuity and effective incident management in the event of an employee data theft scenario.
• Encrypt all laptops, devices, and emails that contain sensitive data. Be sure to use strong password protection for all business computers and devices. Require employees to have unique usernames and strong passwords that are changed on a regular basis.
• Protect against viruses and malware by installing the latest antivirus and antispyware software on all business computers. This includes keeping your software and operating systems up to date by installing updates to security, web browsers, operating systems, and antivirus software.
• Secure access to your network with firewalls, remote access through properly configured Virtual Private Networks, and Wi-Fi networks that are secure and encrypted.
• Train your employees to ensure they understand the importance of all company data protection policies and best practices, adopting a data security mindset.