While companies have been and are still investing in various cybersecurity projects, sometimes with lukewarm results, the management of insider threats is either left aside or is dealt with in a way that is far not effective. Most of all, some “improvements” can be even counterproductive.
In environments vulnerable to cybercrime, especially in the financial and banking sector, most investments are currently focused on the factor defense with the main aim to fend off external attacks. However, history has taught us that the most devastating threats actually arise from within the company.
It is a fact that the risks originating from a current or former employee by accident or out of negligence as well as from various business partners are considerably higher: These individuals know the nature and location of the “crown jewels”, be they information, financial or technical assets.
These employees manage and operate the information systems and know how to access them. Sometimes they are even privy to the protective security measures in place and are aware of their weaknesses.
In the financial and banking sector, these risks are often the following:
- Critical information leakage or theft
- Fraud or misappropriation of funds
- Loss of intellectual property
- Court or regulatory sanctions
- Negative reputation impact
- Financial losses caused by the above
- Disruption of critical business operations
These risks are highly complex and can only be mitigated with a multidisciplinary approach, covering the technical, business, human, socio-economic, geopolitical and financial aspects. Very bold is he who faces this challenge unarmed!
Luckily, solutions exist that leverage a holistic and transversal vision of the organization, including the business processes/needs and the technical dimension.
Company Strategy: Security evolution or regression?
While many initiatives have been made over the last few years in order to increase the maturity of the security architecture to address the external cyber-attack threats, the prevention and detection of insider threat has not been much covered. The most security advanced organizations have managed to roll-out projects covering such as Data-Loss-Prevention, privileged user monitoring or four-eye principles enforcement for critical operations. Unfortunately, the actual effectiveness of these initiatives remain quite lukewarm, often because the considerations before and during the projects were focusing solely on technology without integrating both the business requirements and the human dimension.
On a second hand, some trends to the work practices in companies claiming to make a “better place to work” tend to increase the risks rather than reducing them. Here are some examples:
- Generalization of remote working: For real estate costs reduction or flexible working purposes, remote working can certainly be claimed to be a benefit from a working condition perspective. However, from a security standpoint, it often induces a company to lose control of its sensitive data and over its employees.
- Introduction of BYOD (Bring Your Own Device): In a context of hardware and technical cost reduction and/or for convenience purposes, the tendency to store business-related data on privately owned devices makes the line between business-related use and private use very thin and also raises legal issues in case an incident occurs that requires seizing the equipment for investigation.
Finally, in addition to the above issues, more and more, financial institutions are particularly interested in reducing their operational costs to maximize their cost-benefit ratio and to reassure their investors or shareholders. These budget cuts can manifest in staff reduction, limitation of employee benefits, outsourcing business functions temporarily or even permanently. Such business decisions have a direct impact on the employees, increasing the risk of their disgruntlement or a drop in their sense of allegiance with the company, both leading to an environment favorable to negative tendencies.
Adopting a dynamic and enterprise-wide insider threat management program
In order to ensure an efficient and effective insider threat management, it is necessary to set up a close dialog between the various business stakeholders, the ones in charge of risk management and the executive management, with the objective of integrating the security aspects into the global strategy and company culture.
The most successful results can be achieved by the implementation of an insider threat management function that has the mission to facilitate the dialog between the stakeholders mentioned previously, and to facilitate the right balance between their needs and the necessary security level. With this finely tuned equilibrium between strategy, people, process and technology you can be on the train to successful risk management instead of missing or running after it.