The insider threat presents a big risk to financial services organisations, writes Adam Strange, of IT management, automation and cyber firm HelpSystems.
In today’s highly regulated environment, financial services organisations are trusted with far more than just money; they are also responsible for keeping customers’ highly sensitive personal and financial data secure. And privacy legislation, such as GDPR and CCPA, has come into force to ensure that they are doing this diligently. Likewise, with the all the publicity we’ve seen around data breaches, as individuals, we are far more aware of the growing value of our data and the need to protect it. So, unfortunately, are cyber-criminals, which means financial organisations are prime targets for malicious cyberattack. However, this isn’t the only threat they face. In fact, not a day passes without these firms’ own employees putting data at risk.
When it comes to reducing overall breach risk, it is easy to assume that employees represent low-hanging fruit – based on the premise that it is easier to control the actions of a company’s own employees than it is to defend against external attackers. However, here at HelpSystems we have recently undertaken some research, interviewing 250 CISOs and CIOs in financial institutions about the cybersecurity challenges they face. And the reality is that insider threat – whether intentional or accidental – was cited by more than a third (35%) of survey respondents as one of the threats with the potential to cause the most damage in the next 12 months. Likewise, phishing emails were cited by 20% of survey respondents. Add these two together and you can start to get a picture of the challenge these internal employee-centric risks present for financial services firms – perhaps a far bigger one than the external threat. While external attackers are always motivated by malicious intent, the employee population is far more mixed, and motivations are a grey area where the reasons behind breaches, whether through simple human error or deliberate actions, are harder to determine. This makes understanding, and mitigating, insider risk a far more problematic exercise.
At the same time, the latest Information Commissioner Office (ICO) report has just been published and the data confirms that misdirected email remains one of the UK’s most prominent causes of security incidents. This report further demonstrates the need for all organisations to control the dissemination of their classified data as it states that misdirected email is, alarmingly, a 44 per cent bigger risk to organisations than phishing attacks.
This is yet another area where organisations must ensure their data protection policies are robust enough to not only protect themselves but also their employees from the seemingly simplest of mistakes. Again our research showed that increased remote working practices was a cause for concern, with 36pc stating that they saw it as a cybersecurity threat with the potential to cause significant damage. Therefore, what remains paramount is that organisations provide their employees with the technology tools necessary to prevent the simple human errors that have the potential to result in data loss, and as a consequence, severe financial and reputational damage.
Clearly, it is crucial that financial services organisations shift the dial on insider risk and reduce breach frequency, because the penalties for failing to do so are becoming increasingly draconian, and the repercussions from customers much more severe. But put simply, before you can defend, you need to know what protection your data requires and you need to know what you’ve got, where it’s stored, why you have it and who has access to it. Once you’ve got to grips with that, you can identify what is of true value to the organisation – what’s business-critical and what’s sensitive – and then how best to treat it. In order to do that you need to think about what the impact would be if a piece of information was leaked or lost. If it was made public, would it harm the business, your customers, partners or suppliers? Would it put an individual’s security or privacy at risk? Would you lose advantage if a competitor got hold of it? Is it subject to any privacy or data laws, or regulatory compliance?
While this all sounds relatively straightforward, data visibility was another problematic area and subsequent threat emphasized in our research. Data visibility and knowing what data is where and who has access to it was highlighted as having the potential to cause the most damage by 14% of our survey respondents. Combine this with internal cybersecurity fatigue, which more than a quarter (28%) cited as potentially damaging, and you can start to appreciate the importance of providing tools and awareness training to help prevent those easily avoided mistakes from happening in the first place.
As I mentioned, it is a complex problem without a simple answer and this is where employee education is key. Employees play a vital role in ensuring the organisation maintains a strong data privacy posture. For this to be effective, organisations need to ensure that they provide regular security awareness training to protect sensitive information. In terms of how they go about doing this, they must invest in user training and education programmes. Users are your most important security resource, so train them to be an asset rather than a liability. Users should be a critical part of an organisation’s security posture, not excluded due to the associated risks.
Likewise, the security culture of the firm must be inclusive towards employees, making sure they are continually trained so that their approach to security becomes part of their everyday working practice and security is embedded into all their actions and the ethos of the business.
One way to do this is through the implementation of data classification tools, which not only help organisations to protect their data by putting the appropriate security labels on it, but also help educate users to understand how to treat different types of data with different levels of classification and sensitivity. Here at HelpSystems our data classification solution enables users to classify both their emails and documents according to their sensitivity, using both visual and metadata labels. Once labelled, data can be controlled to ensure that emails, documents and files are only sent to those you want to receive them, protecting your sensitive information from accidental loss.
It is technology like this that leaders within financial services organisations should have in place to protect their employees, prevent misdirected emails, the inadvertent sharing of documents and files and ensure that the organisation is complying with data protection legislation. Remote working is likely to remain, regardless of any future regional or national lockdowns, therefore, making sure that employees have the tools to prevent mistakes and the accidental sharing of data is going to be more important now than it has ever been. The place to start is making sure that any data is appropriately labelled, so that the employee knows how it should be handled.