Internal Security Industry Spotlight: Financial Sector
It’s no secret why the financial industry is such a threat target. As criminal Willie Sutton said when asked why he robbed banks: ‘Because that’s where the money is’.
According to figures compiled by IBM Managed Security Services, the financial services sector moved from the third most-attacked industry in 2015 (behind healthcare and manufacturing) to the first most-attacked in 2016.
Sources of Threats
Outside threats to the financial industry include cyber criminals intent on stealing identities and money, hacktivists looking to make a statement, and nation states on the hunt for intellectual property and secrets. Another source of threat is the increasing number of interfaces between traditional financial providers and fintech startups, which can create vulnerabilities as data goes across the interfaces.
However, the biggest source of threat today in the financial industry comes from the inside. Data from IBM shows there are more insider-born attacks (58%) than outsider attacks (42%) on financial services. Furthermore, a majority of insider attacks are from “inadvertent actors”, such as employees who succumb to phishing attacks.
Insider threats can be classified into three types:
- Malicious intent: These are employees, former employees, or the extended enterprise (like partners) who are disgruntled and looking to ‘get back’ at the organization.
- Actions resulting from ignorance: These personnel might fall for phishing scams and, unwittingly, open the door to a threat from outside. Employees may also introduce threat through bring-your-own-device (BYOD) usage that creates new vulnerabilities.
- Personnel who are compelled or bribed from outside: Employees may be enticed – or bribed – to deliver confidential data to outside actors.
Consequences to the Industry
Money is a leading motivator for attackers, but money loss is just one consequence of an attack. Personally identifiable information (PII) is another type of loss and a big one due to the fact that so much PII is contained in the databases of financial institutions. PII can be sold at a profit or held hostage in a ransomware attack. A theft of PII can cause a significant loss of reputation and customer confidence.
Loss of intellectual property, disruption to infrastructure, loss of company confidential data around merger and acquisition plans, and regulatory repercussions are other potential consequences of an attack.
Staying Safe in the Financial Industry
Organizations can battle insider threats by actively ‘listening’ to potential indicators. Here are just some indicators that bear further attention:
- Frequent access of the work space outside of typical working hours
- Irresponsible social media habits
- Use of unauthorized external storage devices
- Requests for higher-level access without a valid need
There are several ways organizations can proactively monitor – and then mitigate – against threats coming from the inside:
- Establish and publicize information governance and internal security policies.
- Inventory how data is currently accessed to get a complete picture of data access across the organization.
- Conduct scenario testing. JF Legault, global head of cybersecurity operations at JP Morgan, says “Doing exercises, so getting everyone around the table and you simulate scenarios so you understand where your gaps are and what you do well, you understand what you need to build into your cyber process and your resiliency process. It is essential to do that with everyone within your organisation: legal, cyber, compliance, the business, the operations folks, the technology folks and even your peers.”
- Train employees and partners to improve security awareness. Focus on educating employees about phishing and how to avoid becoming a victim, and use a variety of approaches—video, webinars, in-person instruction at intervals to make the risk clear. David Kruse, a cyber security insurance consultant, says “Today, there are as many ways into the vault as you have employees & endpoints. No amount of IT security spending can protect a company whose employees don’t see themselves as part of a broader information security team.”
- Educate the ‘newly banked’. Your newly banked customers are, essentially, another type of insider. These individuals have little or no previous experience with cyber security risks. Consider offering programs to train on best practices for ensuring security when managing their accounts and engaging in transactions.
- Track credential usage to avoid practices such as multiple employees using a single logon,
- Put in place software and processes that enable you to track unusual behavior,
- Develop a breach response program to help respond quickly to incidents,
Proactive measures to monitor, educate and train, and recover from attack can help financial organizations ensure they are not compromised by an internal Willie Sutton.