It's no secret that cybersecurity needs are growing, especially in the world of Fintech. As story after story of hackers targeting high-profile companies hits the news, organizations’ cybersecurity-related panic increases and, ultimately, so does their spending.
In 2015, the world-wide cybersecurity market reached $75.4 billion.1 This spending is only expected to increase, reaching $170 billion by 2020.2
Such spending is not without merit. Cybersecurity needs are certainly growing. But, perhaps due to the predominant notion of the outside hacker, many organizations are overlooking one of the most pervasive cyber threats—the one from within their walls.
It is unclear whether organizations are unaware of the frequency of insider attacks or are in denial of attacks spearheaded by their most trusted employees. Whatever the reason, in 2015, only 35% of IT professionals were more concerned with internal threats than with external ones.3 These figures are alarming, considering that, by some accounts, greater than 50% of all security breaches in 2015 involved insiders.4
While, unfortunately, completely eradicating insider threats is impossible, mitigating them is not. There are steps that organizations can take to ensure the protection of its information – even from its own employees.
The Malicious Insider
In order to combat the malicious insider attack, organizations should develop well-defined access controls. Access control is a security technique used to regulate access to resources in a computing environment. Organizations should regulate both logical and physical access.
Logical access control regulates access to the networks, system files, and data. Here, the principle of least privilege is critical. Organizations should ensure that all employees only have as much access as they need to perform their duties. This access should be audited regularly, and updated as an employee’s needs change. The use of such access should also be monitored to the extent possible, especially for those with enhanced or superior access.
Physical access control is also essential. With physical access to the computing environment comes access to the data it holds. Organizations should control access to specific areas of its physical environment that hold the sensitive information. Even personnel information can be used to crack passwords or otherwise gain access to that individual’s system.
Organizations should also enforce a clean desk policy – computers should be locked when unattended, passwords should never be left visible for others to see (or written down at all), and all personal information must always be locked away when not in use. All of these steps help to prevent unauthorized access to information.
The Inadvertent Actor
Such insider attacks are not all carried out by malicious actors or disgruntled employees. Outside hackers usually choose to take the path of least resistance into an organization’s systems. Frequently, this path is through the company’s employees. For this reason, inadvertent actors—employees with poor cybersecurity habits or who fell victim to outside schemes—made up about a quarter of the inside attacks in 2015.5
The best way to combat events resulting from such mistakes is to develop a culture of cyber awareness. This can be accomplished through policy formalization and employee awareness and training sessions.
Organizations should develop written guidelines detailing their policies for preventing and reacting to cyber events, regardless of these policies’ maturity. Developing policies can add structure to an organization’s cyber environment. Employees should be held accountable to such policies by regular audits to ensure conformity.
Organizations should also provide their employees with awareness sessions and training tutorials. This training should be mandatory for all employees, regardless of position and should revolve around the threats that are particular to the specific organization. During this training, employees can become familiarized with the specifics of the policies and be taught to avoid, recognize, and appropriately react to threats. Tutorials can include something as simple as spotting a phishing email or creating a secure password. These sessions are also a great opportunity to engage in tabletop exercises regarding the organization’s incident response plan. A properly executed incident response plan can minimize or even eliminate damage from a cybersecurity event.
Undoubtedly, insider attacks will continue to represent a large portion of cybersecurity breaches for organizations. Giving this threat the attention it deserves and implementing the steps discussed above can diminish its prevalence and the damage that results.
As the financial services industry becomes more and more dependent on technology, highly sensitive information becomes accessible to hackers both internally and externally. Making sure your technology is safe is a must – the repercussions of a security breach could potentially include loss of clients, a damaged brand reputation, as well as legal and financial liabilities that may be difficult to recover from.
Raising private capital? In addition to following cybersecurity best practices, compliance is paramount. FINRA and the SEC are increasingly vigilant in their enforcement of escrow rules.
Read about compliant escrow management in our whitepaper:
1 Steve Morgan, Worldwide Cybersecurity Spending Increasing to $170 Billion by 2020, Forbes (Mar. 9, 2016), http://www.forbes.com/sites/stevemorgan/2016/03/09/worldwide-cybersecurity-spending-increasing-to-170-billion-by-2020/#120e768076f8.
3 Terry Childs, Insider Threats Or External Cyber Attacks – Is One a Bigger Security Risk? Identity Week (August 26, 2015), https://www.identityweek.com/insider-threats-or-external-cyber-attacks/.
4 IBM X-Force, 2016 Cyber Security Intelligence Index 4 (2016).
Securities offered through WealthForge Securities, LLC. Member FINRA/SIPC. This post is an industry update from WealthForge. The message does not constitute a research report or recommendation and does not take into account the specific investment objectives, financial situation or particular needs of the recipient. This message is not an offer to sell or the solicitation of an offer to buy any security or interest in any fund, which only can be made through a private placement memorandum that contains important information about the risks, fees and expenses of a fund.
Disclaimer: WealthForge provides this information to our clients and other friends for educational purposes only. It should not be construed or relied upon as legal advice.