How to Combat Internal Threats in the Finance Industry

Introduction  

Cyber Security threats in the finance industry are constantly evolving, presenting unique challenges to organisations. While external threats often dominate discussions, internal threats pose a significant risk that cannot be overlooked. 

Consider the following key statistics from the Securonix 2024 Insider Threat Report: 

• Insider attacks reported by organisations increased from 66% to 76% between 2019 and 2024. 

• Concern for malicious insiders rose from 60% to 74% during the same period. 

• Only 29% of respondents believe they are fully equipped with the right tools to combat insider threats. 

These statistics underscore the critical importance of addressing internal threats in the finance industry. Whether driven by malice or negligence, internal threats remain a critical concern. 

This article aims to explore the various forms of insider threats, shed light on the heightened risk faced by financial institutions, and provide strategies to effectively mitigate these internal dangers. 

 What are Internal Threats?  

Internal threats refer to cyber security risks that originate from within an organisation. These threats can stem from current or former employees, external contractors, or vendors who have access to the company’s systems and data. Essentially, anyone with access to company devices or data can potentially pose an internal threat.  

Internal threats pose a significant risk to the integrity, confidentiality, and availability of sensitive information and assets. However, because of the nature of internal cyber security threats, traditional preventative security measures are often ineffective. 

Why is the Financial Industry at Risk from Internal Threats?  

In the finance sector, each employee wields significant digital access, with an average of 10.8 million files at their fingertips. This number nearly doubles in larger organisations, to 20 million files. Such extensive access underscores the abundance of sensitive data within financial institutions. 

Expanding this access across the industry reveals an immense challenge: securing this wealth of data against both compliance requirements and internal threats. As financial organisations increasingly digitise and decentralise, they inadvertently create new avenues for exploitation. Rapid digitisation, cloud technology adoption, and the rise of remote work models all contribute to an environment ripe for cyber threats. 

Hackers recognise an opportunity: exploiting internal users represents the quickest path to compromising financial institutions. Thus, protecting against internal threats becomes paramount for the security of the entire financial industry.  

Intentional Internal Threats 

Intentional internal threats are perpetrated by individuals with malicious intent, leveraging their access to sensitive data to achieve personal gain or harm the organisation. 

These internal threats manifest in various forms, each driven by distinct motivations: 

• Fraud: Involves the theft, alteration, or destruction of company data with the aim of deceiving stakeholders 

• Espionage: Occurs when an individual steals information for another organisation, often a competitor, compromising the confidentiality of sensitive data

• Sabotage: Utilises legitimate access to a company’s network or assets to inflict damage or disrupt its operations, undermining the organisation’s functionality

• Intellectual Property Theft: Involves the unlawful appropriation of a company’s intellectual property, with intentions ranging from selling to utilising the stolen property for personal gain

• Revenge: Individuals who have been terminated or otherwise separated from the organisation may seek retribution by accessing sensitive information, aiming to tarnish the company’s reputation

Intentional Internal Threat Example: South Africa Postbank 2020

In 2020, South Africa’s Postbank faced a significant internal security breach when rogue employees copied the master key, compromising the personal data of millions of account holders and resulting in the replacement of 12 million bank cards at a cost of $58 million. 

The breach highlighted the severe impact insiders can have, especially when privileged access is involved, and underscored the necessity for robust internal security measures and vigilant management of sensitive data. 

Non-Intentional Internal Threats 

Not all internal threats stem from malicious intent. Non-intentional internal threats arise from inadvertent actions or negligence by employees, leading to data breaches or security incidents. 

Employees can inadvertently contribute to data breaches in several ways: 

• Phishing or Social Engineering Victims: Employees may be tricked into revealing sensitive information through fake communications posing as legitimate entities

• Using Unauthorised Devices: Devices like USB sticks, which may seem harmless, can be infected and provide hackers access to company data

• Using Unauthorised Software: Illegitimate or pirated software used by employees can contain malware and backdoors

• Loss of Company Devices: Unsecured or unencrypted company devices, when lost, can lead to data leaks

• Improper Access Control: Failure to properly manage user access, including third-party and ex-employee access, can lead to security issues

• Misconfigurations: Mistakes in setting up or managing cloud services and other systems can lead to significant vulnerabilities

Non-Intentional Internal Threat Example: UniSuper Google Cloud Misconfiguration 2024

In May 2024, UniSuper, an Australian pension fund, experienced a significant disruption when a Google Cloud misconfiguration resulted in the accidental deletion of their private cloud account. This outage affected over half a million members, preventing access to their accounts for a week and affecting the fund’s $125 billion worth of assets. 

The incident underscored the potential risks associated with cloud service misconfiguration by authorised personnel. Fortunately, UniSuper had backups with an alternative service provider, which minimised data loss and facilitated the restoration of services. 

How to Detect Internal Threats 

Detecting internal threats is crucial for safeguarding sensitive information and assets within the finance industry. Robust detection mechanisms are essential, including employee behaviour monitoring, network activity analysis, and advanced threat detection technologies. 

Behavioural patterns and digital analytics offer efficient methods for detection, aiding in identifying potential threats, analysing suspicious activities, and issuing alerts for deviations from typical behaviour. Examples of common indicators of insider data theft are: 

Digital Warning Signs 

• Downloading or accessing significant volumes of internal data 

• Unauthorised access to sensitive data beyond job responsibilities 

• Accessing data in unusual patterns 

• Repeated requests for unauthorised resource access 

• Use of unauthorised storage devices, like USB drives 

• Network crawling and searching for sensitive information 

• Hoarding data by copying files from secure folders 

• Transmitting sensitive data via email to external recipients 

Behavioural Warning Signs 

• Attempts to bypass security measures 

• Presence in the office during non-standard hours 

• Displaying disgruntled behaviour towards colleagues or management 

• Violations of corporate policies and protocols 

• Discussions related to resignation or seeking new job opportunities 

By maintaining vigilance and employing a combination of digital monitoring and behavioural analysis, financial institutions can effectively detect and mitigate internal threats, ensuring the protection of critical assets and maintaining trust in their operations. 

How to Defend Against Internal Threats 

In the battle against internal threats, financial institutions must adopt a multi-layered strategy that encompasses stringent access controls, ongoing security training for employees, and the deployment of advanced cyber security solutions. 

Least Privilege Access Policies 

Implementing access policies based on the principle of least privilege is paramount. By limiting user access to only what is necessary for their tasks and promptly revoking access when no longer needed, organisations can prevent unnecessary access accumulation and reduce potential attack surfaces. This approach denies malicious actors the opportunity to exploit overly permissive access rights. 

Zero-Trust Model Controls 

Implementing thorough controls based on the zero-trust model strengthens security measures further. Zero Trust is a security principle advocating for the verification of all connections seeking access to systems, regardless of their origin—internal or external. 

Treating all internal users as untrusted entities and employing measures like time-based controls and multi-factor authentication fortifies organisations’ defences against potential internal threats and data breaches. 

Comprehensive Security Training 

Promoting cyber awareness and providing comprehensive security training for all employees are vital components of a robust defence strategy. 

New employees and contractors should receive cyber security awareness training before gaining access to any computer system. Furthermore, regular training sessions and phishing simulations should also be implemented. This helps foster a culture of vigilance among staff, empowering them to identify and report potential threats effectively. 

Remote Access Monitoring and Control 

Monitoring and controlling remote access from all endpoints are critical aspects of cyber defence. Implementing intrusion detection and prevention systems for wireless networks and mobile devices is essential. Additionally, promptly revoking remote access when an employee leaves the organisation helps mitigate risks associated with remote access. 

Strengthening Network Security 

Strengthening network security is crucial for mitigating internal threats. This involves tailoring firewall configurations to your organization’s specific needs. Additionally, implementing a demilitarised zone (DMZ), which is a segregated network zone isolating critical systems from direct internet access, provides an extra layer of protection. Network segmentation is also vital to restrict user movement, thereby enhancing security measures and improving monitoring capabilities. 

 Conclusion 

Insider threats persist in the financial sector, but they can be effectively mitigated with comprehensive strategies and proactive measures. Leveraging technological advancements and enhanced security measures strengthens financial services companies’ defences against internal threats. 

Moreover, fostering a strong culture of security awareness among employees is essential. Through these concerted efforts, financial institutions can protect critical assets and maintain trust in their operations. 

For assistance in fortifying your organisation against insider threats, contact our Head of Client Solutions, Ollie Rayburn, at [email protected]. Simplify cyber security and protect your business with tailored solutions designed to meet your unique needs.