Insider threats are a major security issue in the financial sector

The Financial industry is becoming a hot target for hackers and ransomware, and it’s no surprise — the industry does deal with money, after all. The sector is 300 times more likely to experience a cyberattack than any other industry, and the industry is absorbing the highest cost with an average of $18.3 million lost per cyberattack.  But it’s not just the Scrooge McDuck-style pools of coins and cash that cause hackers to turn their eyes to financial institutions. It’s the access. The industry has a vast amount of internal users that can quickly turn into insider threats. 

What are insider threats?

An insider threat is simply a cybersecurity threat (the potential theft or compromise of critical data or assets) that comes from an internal user, i.e an employee. While insider threats can happen accidentally or on purpose, they are a threat to be taken seriously.  According to the Ponemon Institute 2020 Cost of Insider Threats: Global Study, there were 4,716 insider attacks recorded across the globe, and the cost of an insider incident almost doubled between 2019 and 2020 from $493,093 to $871,686.  These incidents can arise from an outside source paying the internal user, the termination gap where a terminated user still has access, or simply when human error comes into play.  The financial industry, not unlike the healthcare industry, is rife with insider threats. While there is the obvious threat of those seeking financial gain, the financial industry is also prone to attack from nation-states, rival corporations, and cyber-espionage groups. That’s a lot of darts getting thrown at one target. 

Why is the finance industry at risk for insider threats?

On average, a financial services employee has access to nearly 11 million files the day they start work. Now expand that number across an organization or multiple organizations of the entire industry. It’s unfathomable how many assets full of PII and other sensitive information (like bank account information) is being accessed at any given moment. Securing all those assets becomes a major challenge for financial organizations, and that’s not even taking into account SOX 404, GLBA Safeguards Rule, and other regulatory demands.  For hackers, it becomes obvious that the fastest way in is through an internal user. Just look at PostBank, the South African post office bank that was forced to replace millions of bank cards at a cost of $58 million after an internal employee compromised customers bank data by copying a master key. That was just a compromise, not a full-fledged theft, and it still cost over $50 million.  All it takes is one moment of human error, a moment of weakness, a well-placed phishing attack on an internal user with too much access to cause chaos. Not to mention that as financial institutions, like organizations in every industry, become more digitized and decentralized, they open themselves up to new threats and more vulnerable access points.

How the finance sector can stay safe from insider threats

There are a few building blocks of cybersecurity architecture that a financial organization can place to have a better foundation against mounting threats – both external and internal.

  • Create access policies that follow least privilege access. Your organization may not know who has access to what assets, but a hacker probably does. With malware, spyware, and other bugs gaining sophistication, it isn’t a stretch for a determined back actor to figure out which internal user has too much access and then target them with a phishing attack or straightforward extortion. By never giving a user access to more than the minimum they need to do a task (and then deprovisioning that access after), an organization is preventing access creep and removing a potential attack surface.
  • Implement fine-grained controls that employ zero trust. The methodology behind access policies apply to access controls — trust no one. Internal users should be beholden to the same controls any external users are, and no one should be above that idea. From utilizing time-based controls to multi-factor authentication, a mix of access controls can prevent an attack before it even occurs.
  • Conduct regular access reviews. A user access review is a periodic inventory of access rights to certain networks and systems, and the users who have access permissions into those networks and systems. By regularly having IT and HR conduct those reviews, an organization can prevent access creep, the termination gap, or find credentials that were errantly given out. These kinds of reviews can also flag certain insider bad behavior like snooping. User access reviews also help a financial organization meet SOX compliance.