“There is likely no greater threat to financial stability than a large-scale cyber event, and we see ever-increasing numbers of cyberthreat incidents,” he said. “In fact, more than 30 percent of all cyber incidents today are caused by malicious insiders, or unintentionally by employees or contractors.”
What’s the best way to avoid this damage? Understand that you have a problem and take the steps you can to mitigate it.
What Is an Insider Threat?
An insider threat is a security issue that comes from inside of an organization that threatens a business’s security, monetary assets or information. They can be unintentional (such as putting sensitive data on a cloud service intended for personal use) or malicious in nature. The result can be costly and difficult to repair.
Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, notes that insider threats often represent a mixture of technical and human concerns, which means that it’s an issue that is often managed across disciplines.
“Making sure that you have an alignment between what the cybersecurity team might be looking for as well as what the HR team might is always incredibly valuable,” he says.
Insider threats are a widespread problem, and fighting these threats is an area of emphasis for a number of industries, but the financial field in particular has taken steps to raise its guard.
SIFMA, a trade group that represents banks, asset management firms and the securities field, has released an in-depth best practices guide that can apply to any industry looking to keep information and assets secure.
“[U]nlike in a general cybersecurity program, every component in an insider threat mitigation program must have a distinctly human element,” the SIFMA guide states. “While external cybersecurity threats can often be prevented or detected primarily through technical tools, those technical tools are insufficient to prevent many insider threats.”
Different Types of Insider Threats
Insider threats can vary widely in nature. The Ponemon Institute report lays out three primary types:
- A contractor or employee who is careless or negligent
- An unscrupulous insider who acts criminal or malicious
- A credential thief, or someone impersonating an employee
Of these, the first example is by far the most common, representing 62 percent of the insider threats studied in the report. It is less common that employees act with criminal or malicious intent, though there have been high-profile cases of workers taking confidential information with them when they leave an organization.
These threats are not isolated and can vary widely in scale. The Ponemon Institute’s research found that 60 percent of the organizations it surveyed had more than 30 incidents per year. While some incidents can be managed quickly, others can take more than two months to mitigate, according to the report.
Insider Threat Vulnerability Indicators
Much like everything else regarding insider threats, uncovering potential vulnerabilities requires looking at both the technical and the human aspects. From a technical standpoint, Proofpoint’s Kalember says that it’s important to take steps to track organizational data for signs of a potential problem.
“You never want to be in a situation where you think something’s happened but you don’t have the data to prove it,” Kalember says. “That is the single most important principle: Understand how to capture what users are doing with the data that ultimately matters to the organization.”
He warns, however, that the shifting nature of work around COVID-19 has changed the dynamic of vulnerability detection, making problems harder to detect than in the past. This means prevention tactics are even more essential.
“Certainly, pre-March, you might have assumed that most of that was viewable in something like network traffic,” he said. “Now, a lot of people are working from home, and it is no longer the case. Most of the time, you have a user going from a cable modem straight to a cloud application.”
The SIFMA best practices guide lays out a variety of factors that can indicate vulnerability due to a staff member. In terms of malicious actions, coworker disputes or suspicious behaviors such as failed login attempts can point to issues that may create a potential for insider threats. Organizationwide shifts, like a merger or other major change, can cause stress, which can also lead to potential problems.
COVID-19 is a prime example of such a shift, Kalember says: “There are all kinds of stresses that didn’t previously exist — economic, with the work environment and otherwise — that have really created the perfect set of conditions for these problems to grow.”
How Businesses Should Respond When There Is a Problem
Insider threats are often frustrating and cost a lot of time and money to resolve, making prevention a primary goal.
The SIFMA guide recommends building an insider threat team to help mitigate risks throughout the organization using staff resources such as executive managers and human resources departments. It also recommends using technical tools and resources for defining risks, such as the National Institute of Standards and Technology’s Cybersecurity Framework.
SIFMA’s Price emphasizes the importance of creating structured guidelines to help build compliance and help prevent insider threats.