The 2020 Verizon Data Breach Investigation Report found that 30% of all breaches were caused by an insider threat. Moreover, the 2020 Ponemon Institute Cost of Insider Threats Report found that the frequency of insider threats has risen by 47% over the last two years. They also increased in cost by 31% since 2018.
Insider risk is a challenge across many industries. However, financial services companies have always been a primary target not only for data theft and financial fraud but also damage to customer trust, brand and the bottom line.
Insider-led incidents in the financial sector companies can lead to:
- Financial losses
- Data leaks
- And more
This industry also suffers from the highest average annual insider threat costs, at $14.5 million. This represents a 20.3% increase from 2018.
In this blog post, we’ll explore the risk of insider threats to the financial sector and how to combat them.
Different Threats, Different Motives: Three Insider Threat Profiles
Financial services is an appealing target for malicious insiders. Theft of funds is typically the primary motive at play. That said, for any financial services company looking to protect against insider threats, it’s worth remembering that there are three distinct types of insider threats. Each requires different detection and response strategies:
- Malicious/intentional insider threats, such as disgruntled employees or those seeking financial gain
- Accidental insider threats, such as employees or others who mistakenly put the business at risk
- Credential theft, which occurs when someone steals an insider’s credentials to carry out a security threat
The response to each of these types of insider threats should be different. In the case of malicious insiders, the business will likely need to take disciplinary action. It may be necessary to terminate the employee or other insider. In the case of an accidental insider threat, policy reminders and security training are appropriate. And in the case of credential theft, there is typically an outside actor at the root but an internal factor (the exposed credentials) that must be mitigated too.
Only a purpose-built insider threat management platform with visibility into what happened before, during, and after an incident can differentiate between these scenarios. This is key to gaining enough context for an appropriate response.
Spotlight: Finserv Insider Threats in the Real World
It’s often useful to take a look at real-world scenarios when insider threats have taken place. This can help security teams with incident response planning and tabletop exercises, which can help illuminate areas where improvements to the current security stack may be needed to defend against insider threats.
Some major insider threats have hit the headlines over the last couple years. In one case South Africa’s Postbank suffered an insider-led security breach. Multiple employees colluded after copying the master encryption key, which allowed them to access the bank’s systems and account balances, as well as to reset bank cards. It cost the bank $58 million to replace 12 million compromised bank cards and at least $3.35 million in damages.
In another example, at Shopify Inc. two employees stole data from more than 100 merchants, potentially exposing the personal information of consumers who shopped on web stores that use the company’s e-commerce software. The company terminated the two employees’ access to its network and the company is working with the FBI and other international agencies that are investigating what it called “criminal acts”.
How to defend against insider-led breaches in financial services
There are three key areas to shore up defenses for any type of insider threat, and these are particularly important for financial services companies to implement.
Security awareness training
First, all businesses should conduct regular security awareness training. This should happen on at least a biannual basis. Training should be geared towards helping employees identify advanced threat tactics—whether from outsiders looking to steal credentials or fellow employees acting in bad faith. Security awareness training should be tailored to different departments and roles based on the threats that are most common for each. Security awareness training is the most effective way to prevent accidental insider threats and credential theft and may be able to stop some malicious insider threats as well.
Data loss prevention
Next, teams should invest in data loss prevention solutions. The ideal DLP solution has threat intelligence built in to help teams understand when data is at risk. Risk can arise due to account compromise (i.e. credential theft) or intentional malicious activity. DLP should monitor data across email, cloud, and other services to ensure security teams are able to respond quickly to signs of data exfiltration. The faster an insider threat is caught, the less risk there is to the business.
Insider threat management
Finally, invest in a purpose-built insider threat management platform. These are the only tools available today that can differentiate between the three types of insider threats. An ITM platform is key to gaining contextual intelligence and visibility into the “who, what, when, where, why and how” of anomalous employee or third party behavior. So, security teams have the ability to correlate activity and data movement. This allows them to identify user risk, detect insider-led data breaches, and speed up security response times.
With the three strategies above combined, financial sectors businesses stand a strong chance of detecting insider threats early, investigating them rapidly, and responding appropriately and with sufficient context to take the right action.
All of the above is key to preventing the fallout that is at heightened risk for the financial services sector.
Want to learn more?
Start a free trial of Proofpoint Insider Threat Management here.
Subscribe to the Proofpoint Blog