The Risk of Insider Threat in Financial Services

By Tony Holland

The Financial Services sector is a prime target of cybercrime due to the personal & financial data it collects from its customers that can easily be monetarised. In 2020 there were more than 1,500 data breach incidents reported in the Financial Services sector globally, with financial motives accounting for more than 90% of the data breaches, according to the Verizon 2020 Data Breach Investigations Report.

Australia’s largest banks acknowledge risks associated with cyber threats, and the dire social and financial consequences of data breaches, including business disruption, reputational damage, financial losses, regulatory sanctions, and a loss of customers.

Australia’s Financial Services industry regulator has concerns about the sector’s cyber resilience. The Australian Prudential Regulation Authority (APRA) supervises Australia’s banking, insurance and superannuation institutions, promoting the financial system’s stability and seeking to reduce the likelihood of a financial institution failing.

Aiming to ensure that all regulated entities have adequate information security protection, APRA mandates compliance by regulated entities to its Information Security Standard CPS 234. Amid consistent evidence that many entities are failing to adequately comply with CPS 234, in November 2020, APRA announced a ‘step change in regulatory intervention’ with the release of its 2020-2024 Cyber Security Strategy.

Data breach incidents can either be the result from an external cyber-attack, such as distributed denial of service, malware, and ransomware; or an insider.

Often a data breach incident resulting from a credential thief is seen as an external attack – however, it should be viewed as an insider threat incident, as with the stolen credentials the external cybercriminal impersonates an insider. Take the massive LinkedIn data breach in 2012 as an example, where a Russian hacker stole the credentials of a LinkedIn engineer. Using the stolen credentials, the hacker accessed the LinkedIn network posing as the LinkedIn engineer, a trusted insider. With the trusted insider’s access, he was able to log into the LinkedIn user database and download the username, password hash, and e-mail addresses of millions of LinkedIn users.

An increased focus on Insider Threat is required

There is a lot of recent commentary about the heightened external cyber-attack environment. However, insider threats can be an under-addressed cybersecurity threat within organizations. Clearly the occurrence of security incidents resulting from insiders are accelerating, with the number of reported incidents resulting from insiders increasing by 47% between 2018 & 2020 according to the Ponemon Institute.

Further, the rapid shift to remote working following Covid-19 has created additional challenges detecting insider attacks.

In response to COVID 19, Australia’s largest banks accelerated migration to cloud strategies and support of remote working. For example:

  • In 2020 National Australia Bank had 865 applications in the cloud with plans to migrate a further 1,080 by 2025;
  • Due to Covid the Commonwealth Bank of Australia shifted more than 39,000 employees to remote working;
  • By 2025 the Commonwealth Bank of Australia plans to have 95% of computing in the cloud;
  • Responding to Covid, Westpac Group had 85% employees working from home; and
  • In 2020 ANZ Bank moved 95% of its non-branch employees to working from home.

The greater use of cloud applications combined with increased rates of remote working can make detecting insider attacks  more difficult, thus increasing insider Threat risk.

Strategies for Financial Services organisations to minimise Insider Threats

Strategies to minimise insider threats differ according to the type of insider threat. Ponemon Institute analysis of reported incidents in 2020 against the three insider threat profile types found that:

  • 62% were due to employee or contractor negligence;
  • 23% were by criminal or malicious insiders; and
  • 14% involved credential theft

Preventing data breaches resulting from criminal or malicious insiders

The Australian Cyber Security Centre offers advice to prevent against criminal or malicious insiders, including technical controls, access controls & auditing.

Technical controls include controlling the channels that malicious insiders can use to exfiltrate data, such as blocking moving confidential data to removable storage (e.g., a USB stick); preventing access to confidential data from unmanaged devices; controlling printing of confidential data; limiting the ability to attach confidential data to email; and blocking uploading confidential data to cloud-based storage services.

Access controls include restricting access to confidential data, so that staff can only access what they need to do their job; and access is deactivated when they change roles or leave the organisation.

Auditing refers to logging & monitoring employee’s network activities, especially when using high- risk systems and working with confidential data. Australia’s major banks face the challenge of a large number of application systems (e.g. more than 2,000). These applications may be developed by different providers, employing differing technologies, with limited or no integration.

To be effective user activity monitoring needs to encompass all of the data exfiltration channels that are available including email, USB, print, web, cloud, local drive, screen capture, clipboard, etc.

APRA’s Chair Wayne Byres provides a stern warning: “It is not a matter of planning for if somebody gets into your system, it’s a matter of when someone gets in – and how quickly you can shut down their activity" 

Data Breach Prevention is the key

If an insider has already stolen your data, there is little you can do post breach to recover the data.

Going back to the LinkedIn example, LinkedIn first became aware of the data breach after learning that LinkedIn user data had been posted for sale on an online forum. The very lengthy post breach investigation eventually identified who stole the data, but it was too late as the user data had long been compromised.

That is why prevention is key.

According to Gartner, Insider Risk Management Solutions provide passive controls that ‘do not directly mitigate risk but provide the situational awareness that enables the application of an appropriate active control (for example, altering the configuration of a content filter in a secure web gateway)’.

Australia’s major banks also face the problem of scale, having approximately 40-50,000 employees’ activities to monitor for suspicious behaviour. It is likely that the time & resources required to identify suspicious behaviour from a high volume of alerts & respond by applying an appropriate active control will take too long in order to prevent a data breach, and that some data breaches may go unnoticed.

Emerging technology solutions seek to address this challenge by integrating the passive control system (e.g., the user activity monitoring and behavioural analytics system) with the active control system (e.g., altering the configuration of a secure web gateway or data loss prevention system), providing an automated, adaptive control system based on insider threat risk, calculated from user behaviour. With successful deployment of this model organisations can apply monitoring policies for low-risk users, whilst dynamically applying blocking policies for high-risk users, preventing data breaches. 

Tony Holland is Strategic Account Manager - Financial Services & Government at Forcepoint, a specialist in data protection and cybersecurity.