The Cost of Insider Threats in Financial Services and How to Reduce Them

From ransomware to social engineering, cybersecurity attacks plague financial organizations with more frequency than ever before. But the most common risk isn’t malicious actors trying to break in from the outside – usually, the most significant threat originates from inside an organization. Insider threats can cost millions and lead to loss of trust. Ponemon Institute’s 2020 Cost of Insider Threats Global Report examines the monetary losses caused by insider breaches and shares methods for mitigating the costs – or preventing them from ever becoming a problem.

The study surveyed 964 IT and IT security practitioners in 204 organizations across North America, Europe, the Middle East, and Asia-Pacific. Of the industries surveyed, financial services – which includes banking, insurance, investment management, and brokerage – made up the largest percentage. The results speak for themselves – in the last two years, the cost of insider threats has risen 31%, jumping from $8.76 million in 2018 to $11.45 million in 2020. Plus, the number of security incidents increased 47% in that same time. When faced with statistics like these, how can financial services organizations protect themselves from the escalating risk that insiders present?

Here, we’ll examine the kinds of insider threats that affect financial organizations, the monetary impact, and best practices to protect sensitive data from risks that originate within a company. According to the study, there are three types of insider threats:

  • Careless or negligent employees or contractors
  • Criminal or malicious insiders
  • Credential thieves

Cost of Insider Threats Graph - Frequency of Incidents

The careless or negligent employee or contractor

Careless workers may mean well, but even minor negligence on their part can cost an organization millions of dollars. Irresponsible actions like leaving workstations or doors unlocked, installing unapproved applications onto company devices, or leaving personally identifiable information (PII) in plain sight, can leave your organization vulnerable to a cyberattack. As the most frequently encountered insider threat, negligence is responsible for 62% of all incidents caused by insiders. According to the Ponemon report, incidents caused by careless employees or contractors cost an average of $307,111 per occurrence across all industries and can add up to more than $4 million per organization.

To mitigate the risk that negligent workers pose, prioritize onboarding and ongoing training so that all employees and contractors clearly understand the importance of data security and compliance from the point of hire, onward. Training users carries the added benefit of informing employees and contractors of action plans when an incident or breach occurs so it can be resolved more quickly and efficiently.

Implementing a user activity monitoring solution can also help prevent carelessness and promote a culture of privacy across the board by spotting improper access and behavioral trends that deviate from the norm. If a specific area of the organization has a pattern of falling behind in terms of maintaining privacy and security, training can be custom-tailored so that security incidents don’t occur repeatedly.

“There are lots of different ways that you can look for insider threats. Some of them are not people doing something maliciously, but it doesn’t mean we shouldn’t stop them from doing it.”

– Ed Holmes, Chief Executive Officer at FairWarning

The criminal or malicious insider

Criminal insiders are one of the most challenging threats to detect. Unlike negligent employees, they pose an intentional threat to organizations. Because they’re already inside the network, they have no roadblocks to prevent them from abusing their privileges to access private information for personal or financial gain. Although malicious incidents are widely publicized, they are responsible for only 23% of overall security incidents. According to the report, criminal and malicious insider incidents cost an average of $755,760 each and add up over the course of a year. Each organization surveyed paid over $4 million on average as a result of internally based criminal and malicious threats.

Though detecting criminal and malicious insiders is challenging, certain countermeasures can safeguard PII. Implementing the principle of least privilege – limiting privileges so users can access the minimum amount of data necessary to do their job – helps prevent unauthorized access or abuse. Programming screen locks, monitoring for suspicious activity, and restricting the use of external storage devices also minimizes the potential havoc a nefarious individual can wreak.

The credential thief

Credential theft, also known as imposter risk, is a type of cybercrime where the culprit uses tactics such as phishing, spear phishing, vishing, smishing, and social engineering to steal login information. Once the attacker gains access to an organization’s network, they share the same user privileges as their victim, gaining visibility into sensitive information such as names, addresses, health history, credit card information, and social security numbers.

Although imposter risk occurs in only 14% of insider threat events, incidents caused by credential theft are the costliest. In fact, the typical cost per credential theft incident is nearly triple that of negligence incidents at a staggering $871,686. Annually, incidents caused by credential thieves amount to $2.79 million on average.

With millions of dollars and customer trust at stake, how can financial services organizations protect themselves from imposters and credential thieves? Prioritizing security training on a regular basis can help inform users of red flags. Common signs of phishing, smishing, spear phishing, and similar attacks include:

  • Generic greetings like “Hello customer” or “Hi Outlook user”
  • Grammar and spelling errors
  • Unknown or spoofed sender
  • Unexpected attachments or links
  • Hyperlink text that doesn’t match the destination address
  • Asking you to confirm personal information
  • Using alarming, time-sensitive language like “NEED HELP NOW,” or “REPOND ASAP”

These types of cyberattacks are unique because they require the user to act by clicking a link or opening an attachment to work. Training users to detect the signs of credential theft can prevent users from taking these actions, stopping imposter risks in their tracks.

Detecting, remediating, and preventing insider threat incidents

Preventing insider threats like negligent workers, malicious insiders, and credential thieves can save financial services organizations millions of dollars. In fact, the faster an incident is contained, the less expensive it is to remediate. According to the Ponemon report, it takes more than two months – 77 days – to contain the average insider incident.

The Ponemon report also shows that the longer it takes to contain an insider incident, the more it costs. Organizations that took more than 90 days to contain an insider attack experienced the highest mitigation costs – $13.71 million in contrast to $7.12 million for systems that discovered the incident within 90 days. Not surprisingly, financial services companies experienced the highest total cost of any industry at $14.5 million.

Cost of Insider Threats Graph - Average Cost by Days to Contain Incidents

The financial impact of insider threats

A particularly troubling finding of the Ponemon study is the steady increase of insider threats. Over the last two years, the average number of employee or contractor negligence incidents increased from 13.2 to 14.5 per organization with 60% of organizations suffering more than 30 insider incidents per year. The key factors that affect the cost of insider threats include:

  • Monitoring and surveillance: Enabling proactive detection of violations and potential cyberattacks
  • Investigation: Uncovering the source, scope, and magnitude of an incident
  • Escalation: Informing key stakeholders about incidents and organizing an initial management response
  • Incident response: Assembling an incident response team and creating a final management response
  • Containment: Stopping or reducing insider attacks, including shutting down compromised applications and endpoints
  • Ex-post response: Reducing future insider incidents, including communicating recommendations to key stakeholders to minimize potential harm
  • Remediation: Repairing affected systems and core business processes, including restoring damaged information assets and IT infrastructure

Of these activities, investigations are growing the fastest with an 86% net increase over three years. At $103,798 per incident, investigations are on the higher end of associated expenses. And the price isn’t limited to dollar amounts – of insider-related events that carry monetary impact, direct and indirect costs can include:

  • Data loss
  • Productivity downtime
  • Equipment damage
  • Detection and remediation costs
  • Legal expenses such as litigation fees and regulatory fines
  • Loss of consumer trust
  • Reputational damage

Understanding organizational susceptibility to insider threats

To protect your company from insider threats, understanding risk factors is vital. Five signs your organization may be susceptible to risk include employees who:

  • Lack security compliance training
  • Are not aware of procedures for securing devices, including BYOD
  • Transmit sensitive data to unsecure cloud locations
  • Bend organization-wide security policies to simplify tasks
  • Fail to patch or upgrade devices and software to the latest version

With the growing threat of insiders, it’s more important than ever for financial services companies to take whatever measures necessary to safeguard against internal risk. With thorough new hire onboarding, continuous cybersecurity training, and potential consequences for policy violations, you can empower your team with the knowledge needed to protect the privacy and security of PII. And strengthening cybersecurity measures along with implementing proactive user activity monitoring can stop attackers in their tracks – before they have a chance to walk away with valuable data.