Insider Threat: Not Just a Technology Issue

September is National Insider Threat Awareness Month, an initiative led by the U.S. government’s National Counterintelligence and Security Center (NCSC), the National Insider Threat Task Force (NITTF), the Office of the Under Secretary of Defense Intelligence and Security, the Defense Counterintelligence and Security Agency (DCSA), and the Department of Homeland Security.

Launched in 2019 to increase awareness about the risks posed by insider threats and the crucial role of insider threat programs, SIFMA recognizes this initiative as an opportunity – together with ongoing financial services industry efforts – to share the latest information, including best practices and resources, to help firms as they continue to measure and enhance the effectiveness of their insider threat programs.

Impact of Insider Threats

An insider is any individual with authorized access to business systems, networks, and information. According to the DCSA, an insider becomes a threat when their authorized access causes harm, whether maliciously or unintentionally, to their organization. This makes an insider threat just as much a human problem as it is a technology one.

The impact of insider threats is continually changing. The Ponemon Institute’s 2022 Cost of Insider Threats Global Report – based on an independent study of over 1,000 IT and IT security practitioners globally – found that:

  • $15.38 million is the average annual cost of insider threat activity – up 34% since the last study in 2020
  • 56% of reported insider threat incidents were the result of a careless employee, service provider, or contractor – contributing factors included not securing devices, not following the firm’s security policy, or not applying software upgrades
  • 26% of incidents were caused by malicious insiders
  • Credential theft incidents have almost doubled since 2020

Promoting Awareness

Insider threat prevention starts with awareness. While all employees at a firm have a role in preventing threats – for example, using strong, complex passwords and understanding how to act on system alerts – an insider threat mitigation team is essential to coordinate firm-wide prevention efforts and alert relevant personnel to suspected or detected threats.

At the industry level, SIFMA hosts quarterly Insider Threat Forums with market participants on identifying and protecting against the latest insider threats. SIFMA also works with members to understand issues shaping the development of insider threat programs, such as:

  • Privacy issues including restrictions on employee surveillance
  • Use of automated decision-making tools
  • Legal and practical barriers to performing employee background check; firms should implement the best practices that are appropriate for the firm and adhere to local, state, and federal law

As a coordinating group on internal and external cybersecurity in support of safe and secure information infrastructure, SIFMA shares best practices with the NITTF and acts as a reference for regulators to help them better understand the insider threat at financial services firms.

Implementing and Maintaining an Insider Threat Program

Insider threats are evolving and financial services firms have responded to the rising insider threat by improving response capabilities through advancements in the use of anomaly detection and big data techniques. In a benchmarking survey conducted by SIFMA in 2018, approximately 70% of responding firms reported that they have established an insider threat program.

An effective program for insider threat mitigation involves both technical cybersecurity defenses, which typically reside within Information Technology, and human expertise that resides across the firm – including board of directors and executive management oversight.

Firms across the industry can assess their level of risk with the Cyber Risk Institute’s (CRI) Financial Services Cybersecurity Profile, which is a framework based on:

  • NIST’s “Framework for Improving Critical Infrastructure Cybersecurity” to Identify, Protect, Detect, Respond, and Recover
    • CRI’s Financial Services Cybersecurity Profile includes two more functions: Governance and Dependency Management
  • CPMI-IOSCO’s “Guidance on cyber resilience for financial market infrastructures”
  • ISO 27000 series controls for information security management systems
  • Financial sector supervisory guidance and regulatory frameworks

Training Employees

An employee training program is not just for new staff. It must be ongoing and updated on a regular basis to reflect the insider threat risks identified by the organization in its risk assessment as well as ensure that current employees at all levels remain focused on the firm’s security policies. At a minimum, the training must include:

  • Appropriate awareness of and competencies for data protection
  • How to detect and address cyber risks
  • How to report any unusual activity or incidents

Get involved with SIFMA’s Insider Threat Forum

If your firm is not already engaged with the Insider Threat Forum, which brings together over 30 SIFMA member firms, consider joining and contact our Operations, Technology & BCP team for more information.

Collective awareness, mitigation programs, and education and training remain the best defense against insider threats. Only by working together do we remain diligent and continually improve our defense, resiliency, and recovery efforts to protect clients, data, networks, and operations across the capital markets and beyond.

Tom Wagner is Managing Director of Financial Services Operations for SIFMA and a Board Member of the Cyber Risk Institute (CRI).