A Closer Look at Insider Threats in the Financial Sector

Philip Robinson by   01.05.2018   Data Security

According to the IBM X-Force Threat Intelligence Index 2017, the financial services industry experienced the highest number of cyber-attacks in 2016. 58% of these attacks were caused by insiders. 53% of insider attacks were inadvertent, and only 5% were malicious. Insider attacks are not necessarily initiated by current employees, but also former employees and third parties. The report suggests that the reason why the financial sector experiences so many insider threats are because they have a greater susceptibility to phishing attacks. In which case they need to focus on educating employees about how to identify such attacks.

The consequences of an insider attack can manifest in a number of different ways. They can lead to the disclosure of confidential customer data, which undermines the customer’s trust in the institution. They can result in fraud, monetary loss, loss of intellectual property, disrupt critical infrastructure, and tarnish the institution’s reputation.

How can financial institutions protect themselves from insider threats?

Of course, the first step is to educate employees – especially with regards to phishing attacks. Staff members must be informed about the types of emails that are typically associated with phishing attacks. These might include emails from unrecognized senders, emails asking them to disclose personal or financial information, emails with the word “URGENT” or impersonal salutations such as “Dear valued customer”. They must be trained to carry out an independent analysis of each situation and report any suspicious behaviour.

It is crucially important that institutions know exactly who is accessing what data, and when. To start with, institutions must ensure that passwords are rotated regularly. It is often the case where employees casually share passwords, as this can make life easier in some circumstances. However, should these credentials fall into the wrong hands, confidential data could be leaked for some time without anyone noticing. As such, regularly rotating passwords can limit the amount of damage a rogue insider can do.

After you have implemented a policy to regularly change passwords after a selected number of days, you may experience a higher number of account lockouts as employees forget to change their passwords. To avoid such cases, you can automate the process of reminding users to change their passwords with Lepide User Password Expiration Reminder.

Additionally, LepideAuditor can detect, alert and respond to concurrent logins (when a single user is logged-in on multiple devices/locations at the same time). Institutions must also make sure that employees are only granted access to the data they need. They must be able to identify who has access to what data, how permissions are granted, and when those permissions are changed. Institutions must be able to detect, alert and respond to suspicious file and folder activity – either based on a single event or threshold condition. They must also be able to monitor account modifications/deletions, manage inactive user accounts, track privileged mailbox access and perform other auditing types.

Finally, the threshold alerting feature in LepideAuditor can be very useful for limiting the damage caused by ransomware attacks. A ransomware attack will typically encrypt data on the victim’s device and request a ransom, in the form of payment, from the victim in the exchange of the required decryption key. While threshold alerting doesn’t stop the malicious code from being executed, it can be used to automatically detect, alert and respond to the attack, thus limiting the damage it can cause. For example, if X number of Y changes are made over Z period, a custom script can be executed which may disable a user account, stop a specific process, change the firewall configuration, or shut down the server.