In today’s highly regulated environment, financial services organizations are trusted with far more than just money; they are also responsible for keeping customers’ highly sensitive personal and financial data secure. And privacy legislation, such as GDPR and CCPA, has come into force to ensure that they are doing this diligently. Likewise, with all the publicity we’ve seen around data breaches, as individuals, we are far more aware of the growing value of our data and the need to protect it. So, unfortunately, are cybercriminals, which means financial organizations are prime targets for malicious cyberattacks. However, this isn’t the only threat they face. Not a day passes without these firms’ employees putting data at risk. The Insider threat is cited as having the potential to cause a lot of damage
By Adam Strange, Global Marketing Director, HelpSystems-Boldon James
When it comes to reducing overall breach risk, it is easy to assume that employees represent low-hanging fruit – based on the premise that it is easier to control the actions of a company’s employees than it is to defend against external attackers.
The Insider Threat is real
However, here at HelpSystems, we have recently undertaken some research, interviewing 250 CISOs and CIOs in financial institutions about the cybersecurity challenges they face. And the reality is that insider threat – whether intentional or accidental – was cited by more than a third (35%) of survey respondents as one of the threats with the potential to cause the most damage in the next 12 months. Likewise, phishing emails were cited by 20% of survey respondents. Add these two together and you can start to get a picture of the challenge these internal employee-centric risks present for financial services firms – perhaps a far bigger one than the external threat. While external attackers are always motivated by malicious intent, the employee population is far more mixed, and motivations are a grey area where the reasons behind breaches, whether through simple human error or deliberate actions, are harder to determine. This makes understanding and mitigating insider risk a far more problematic exercise.
Misdirected emails are also a big risk
At the same time, the latest Information Commissioner Office (ICO) report has just been published and the data confirms that misdirected email remains one of the U.K.’s most prominent causes of security incidents. This report further demonstrates the need for all organizations to control the dissemination of their classified data as it states that misdirected email is, alarmingly, a 44% bigger risk to organizations than phishing attacks.
This is yet another area where organizations must ensure their data protection policies are robust enough to not only protect themselves but also their employees from the seemingly simplest of mistakes. Again, our research showed that increased remote working practices were a cause for concern, with 36% stating that they saw it as a cybersecurity threat with the potential to cause significant damage. Therefore, what remains paramount is that organizations provide their employees with the technology tools necessary to prevent the simple human errors that have the potential to result in data loss, and as a consequence, severe financial and reputational damage.
Understanding what protection your data requires
Financial services organizations must shift the dial on insider risk and reduce breach frequency because the penalties for failing to do so are becoming increasingly draconian, and the repercussions from customers much more severe. But put simply, before you can defend, you need to know what protection your data requires and you need to know what you’ve got, where it’s stored, why you have it, and who has access to it. Once you’ve got to grips with that, you can identify what is of true value to the organization – what’s business-critical and what’s sensitive – and then how best to treat it. To do that you need to think about what the impact would be if a piece of information was leaked or lost. If it was made public, would it harm the business, your customers, partners, or suppliers? Would it put an individual’s security or privacy at risk? Would you lose an advantage if a competitor got hold of it? Is it subject to any privacy or data laws, or regulatory compliance?
While this all sounds relatively straightforward, data visibility was another problematic area and subsequent threat emphasized in our research. Data visibility and knowing what data is where and who has access to it was highlighted as having the potential to cause the most damage by 14% of our survey respondents. Combine this with internal cybersecurity fatigue, which more than a quarter (28%) cited as potentially damaging, and you can start to appreciate the importance of providing tools and awareness training to help prevent those easily avoided mistakes from happening in the first place.
Employees need tools, training, education, and the right culture
As I mentioned, it is a complex problem without a simple answer, and this is where employee education is the key. Employees play a vital role in ensuring the organization maintains a strong data privacy posture. For this to be effective, organizations need to ensure that they provide regular security awareness training to protect sensitive information. In terms of how they go about doing this, they must invest in user training and education programs. Users are your most important security resource, so train them to be an asset rather than a liability. Users should be a critical part of an organization’s security posture, not excluded due to the associated risks.
Likewise, the security culture of the firm must be inclusive towards employees, making sure they are continually trained so that their approach to security becomes part of their everyday working practice and security is embedded into all their actions and the ethos of the business.
All these best practices will keep the insider threat in check.
How data classification can help
One way to do this is through the implementation of data classification tools, which not only help organizations to protect their data by putting the appropriate security labels on it but also help educate users to understand how to treat different types of data with different levels of classification and sensitivity. Here at HelpSystems, our data classification solution enables users to classify both their emails and documents according to their sensitivity, using both visual and metadata labels. Once labeled, data can be controlled to ensure that emails, documents, and files are only sent to those you want to receive them, protecting your sensitive information from accidental loss.
It is a technology like this that leaders within financial services organizations should have in place to protect their employees, prevent misdirected emails, the inadvertent sharing of documents and files, and ensure that the organization is complying with data protection legislation. Remote working is likely to remain, regardless of any future regional or national lockdowns, therefore, making sure that employees have the tools to prevent mistakes and the accidental sharing of data is going to be more important now than it has ever been. The place to start is making sure that data is appropriately labeled so that the employee knows how it should be handled. And this is another best practice to keep the insider threat in check.
About the Author
Adam heads up the global marketing function at Boldon James, working to define and implement our strategic go-to-market campaigns. He brings a proven and successful record of managing integrated business-to-business marketing activity to both increase brand profile and capture leads and opportunities. Adam has a widespread understanding of enterprise IT infrastructure across areas such as Cybersecurity, Threat Intelligence, Cloud-based Services, Business Applications, Databases, and Hardware. Prior to Boldon James, Adam ran the marketing and alliances function at Becrypt, and has held former marketing and partnering positions at BAE Systems, Oracle, and Computacenter.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.