Mitigating the Danger of Insider Threats in Financial Institutions

Cybersecurity executives are implementing measures to control the damage that can be caused by bad actors who already have a foothold inside networks

The threat insiders pose to data integrity and security is a growing concern for many cybersecurity executives in financial firms. A 2020 report from cybersecurity company Gurucul reveals that 68% of organizations feel vulnerable to insider threats.

However, while the term ‘insider threat’ is commonly used to refer to employees misusing their credentials to steal data or inappropriately access systems, it can have other meanings.

For example, a mistake by a well-meaning employee can leave the door open to bad actors, enabling them to gain access to the network by hijacking an unsuspecting user’s account. This kind of accidental incident may even be more common than malicious data theft.

In a study by cybersecurity software provider Netwrix, 59% of financial firms said employees sharing data accidentally or administrators making mistakes had caused cybersecurity incidents. Just 11% had experienced data theft.

It is crucial for cybersecurity executives to distinguish between accidental and malicious behavior in their organizations. This affects both how the incident should be addressed and wider perceptions of the cybersecurity team.

“We’re not here to be big brother in a sense that we’re trying to find a way to crucify you,” quips Bank of America Merrill Lynch SVP Business Information Security Officer David Monahan. “It’s all about separating that insider threat from the threat on the inside.”

He adds: “We may need to discipline [staff] from either an ignorance or misbehavior perspective. For clicking on the link, but not from the perspective of someone who is one trying to steal our data.”

The Evolving Threat of Social Engineering

Cyberattacks are rife in the age of COVID-19. Research from email security firm GreatHorn shows that 53% of cybersecurity professionals have seen an increase in email phishing attacks during the pandemic.

“We saw a huge number of attacks [because of the pandemic],” says BNP Paribas Group Head of Cyber Risk Intelligence Jules Pagna Disso. “But rather than being directed at the business, what we have observed is that the attacks were directed at end[1]users.”

Of course, phishing attacks have been around for a long time. What is new is the intricacy and personalized nature of the attacks, in many cases rising to the level of ‘social engineering’.

The ‘social engineer’ uses psychological manipulation to trick people into giving up personal information, or otherwise compromising their security. During the pandemic, attackers used these techniques to target employees working remotely, capitalizing on fear and uncertainty.

“Most of the attacks that we have seen have been around the COVID-19 theme,” says Pagna Disso. “When targeting people directly in their personal environment, people have a certain fear that they will not necessarily disclose to their employer, and the attackers were trying to take advantage of that.

“Social engineering is the single largest attack surface that we have, because it’s one of the most effective,” notes Equifax Business Information Security Officer Michael Owens. “It goes beyond just phishing or spear phishing. It targets human behavioral elements in the attack, which makes it so effective.

To fight this evolving threat, cybersecurity executives are renewing their approach to training and awareness. They are focused on raising awareness about how to recognize phishing or social engineering attacks and how easy it can be to fall for sophisticated ones. “Awareness is very important,” concludes Pagna Disso. “In the corporate environment you probably expect [the threat] to be presented a certain way. But when working from home, they might not know what to expect.”

This is an extract from the exclusive report The 2021 Information Security Agenda. The report highlights how COVID-19 has rapidly shifted priorities for Chief Information Security Officers (CISOs), requiring them to implement new strategies, technologies and educational programs in a time of heightened risk. Click here to get your copy.