Insiders Now Pose Biggest Cybersecurity Threat to Financial Services Industry
It’s tempting to imagine cybersecurity defenses as a shield that protects your financial services firm from all external threats. Employing vast network and perimeter security, deception tools, endpoint security, and firewalls should thwart attacks, right? The scary, dark web world of hackers and attackers is kept at bay, and your company remains cozy and secure behind its cybersecurity shield.
But there lies an issue within organizations that can drive a fracturing crack in that cybersecurity shield: the insider threat.
The Threat Within
The basic flaw in the scenario above is that it focuses on protecting your financial services firm from all external threats. That’s important, of course, but it’s not enough to keep you safe. And that’s why the concept of huddling in safety behind a cybersecurity shield offers nothing more than false security.
The truth is the biggest security threats to your company can be found internally, on the wrong side of that cybersecurity shield. The largest security threats facing your company might be in a neighboring cubicle, in the office across the hall, or in the little group clustered around the water cooler. In fact, the biggest cybersecurity threat your company faces might even be you, albeit inadvertently.
Some Sobering Survey Results
Just how large is the insider threat facing financial services companies? A couple of recent surveys have shed some light on this topic — and what they’ve revealed may surprise you.
Financial services companies are heavily targeted by cybercriminals because of the value of their data, including customer information (often of very high-worth individuals) contained within Customer Relationship Management systems.
Many financial organizations have suffered a breach or failed a compliance audit within the previous year. The IBM X-Force Threat Intelligence Index 2017 found that financial services companies suffered more breaches than any other industry — and more than half were perpetrated by insiders.
The SANS 2016 Survey on Security and Risk in the Financial Sector found that the top two attack vectors against financial services firms were ransomware attacks (55%), and phishing attacks (50%). But aren’t these attacks from the outside? As the survey report notes, these types of attacks typically require some form of insider interaction to be effective and open the door to the organizations network.
The costs incurred from insider-related cybersecurity breaches are soaring. A Ponemon Institute report, 2016 Cost of Insider Threats, found that, on average, damage resulting from insider activities amounted to more than $4 million per enterprise in 2016.
Some insider threats are malicious and intentional, most often motivated by the hope of financial gain: second streamers. Reports of employees stealing client assets or taking client data out the door to sell on the dark web are a regular occurrence. But not all insider threats are malicious in nature; many insider threats are the result of simple carelessness or neglect. And as the 2017 Ponemon Cost of a Data Breach study revealed, unintentional insider threats are the costliest.
Though each intentional insider attack does more damage per occurrence, the unintentional insider incident occurs much more frequently. In total, insider incidents resulting from carelessness or neglect cost more per year than all combined forms of intentional insider attacks, as noted in the 2016 Ponemon report. Similarly, the IBM X-Force report found that more than 90% of insider incidents occurring within financial companies were inadvertent in nature.
All of the electronic systems and applications listed above are vulnerable to cyber-attacks. ePHI can also frequently be found in healthcare organizations’ financial and administrative systems, managed care and departmental imaging systems, and expanded clinical departments. It’s also common practice to transfer data between healthcare providers, clinics, labs, hospitals, pharmacies, and patients. Each transmission of data represents an additional point of vulnerability.
The HIPAA Security Rule requires that each healthcare organization conduct a risk analysis to ensure HIPAA compliance. Given the many points of vulnerability to which every bit of patient data may be exposed, each risk analysis must be very in-depth.
The risk to your healthcare organization extends far beyond just your electronic health records. Implementing a well-rounded monitoring system that encompasses multiple platforms will assure that all patient data is kept safe, preventing breaches, assuring HIPAA compliance—and avoiding massive OCR settlements.
Internal Threats Come in Many Forms
Insiders pose the largest cybersecurity threat to financial services organizations. But not all insiders pose equal threats. And not all insiders are employees. Business partners and contractors often have access to sensitive data or proprietary systems, and may also represent an insider threat.
The Vormetric report, in fact, noted that partners and contractors were among the three most dangerous insider groups. The survey results ranked the different insider threats as follows:
Privileged Users: 63%
Partners with Internal Access: 43%
Contractors/Service Providers: 40%
What Are Your Insiders Up To?
It’s clear that financial services enterprises cannot focus their cybersecurity defenses strictly upon external threats. Doing so invites disaster by ignoring the insider threat, which is now the largest threat faced by financial services companies. Defending against internal threats requires monitoring user activity and utilizing behavior analytics that provides insights into the who, where, why, when, and what insiders are doing.
These insights and application security are pertinent to your organization’s security posture. The SANS survey revealed that many financial services companies consider themselves less than well prepared to thwart illicit access to systems and accounts.
But perhaps the scariest finding by the SANS survey? Nearly a fourth of all companies reported that they didn’t even know whether they had suffered an incident within the past year. And it’s quite difficult to counter a threat that you can’t even see.