What lies within – protecting against the insider cyber-threat

By Guy Bunker | 4 February 2015

The financial sector is demonstrably the industry that is most at risk of a cyber-attack. PwC’s 2014 Global Economic Crime Survey found that 39% percent of financial sector businesses said they had been victims of cybercrime compared to 17% reported in other industries. The report also highlights that many banks don’t believe they will fall victim to cybercrime in the near future, a surprising finding as financial institutions have become increasingly digital and interconnected as time goes by.

Perhaps one reason for this, and a noticeable trend within the financial sector, is the lack of communication between organisations to share lessons learnt following an attack. The reality is that there are hundreds of external hacking attacks per day – although few are ever successful – but when one does happen to slip through the net, full details are seldom shared. Progress needs to be made to agree best practice for sharing information within the industry, especially when it comes to failed attacks. A failed attack for one business might be a successful one in another. Forewarned is forearmed.

One area that would benefit from a higher level of awareness is threats that come from an organisation’s own employees. This is not just about fraud, which is well understood, but about some of the other potential risks and consequences. PwC’s Information Security Survey 2015 found that the most likely culprits of a data breach come from an internal individual; whether the attack is malicious or accidental, the risk is still higher than ever before.  

Accidental or malicious – the outcome is the same

Financial institutions house a tremendous amount of data – with more critical information, in more places, than many realise – making managing it a tremendous challenge. This isn’t helped by the tendency to have overtly complex IT systems, created through the need to support legacy systems and applications, inevitably leading to gaps through which data can leak. A malicious employee can exploit these weaknesses to steal sensitive data, or more likely an employee could share information with unauthorised individuals by accident via these gaps.

The risk of a data breach has also increased as trends such as BYOD and online collaboration services have become more widespread. This has led to increased, rigid security policies and measures, often frustrating users who opt to bypass them in favour of more accessible, consumer offerings such as Dropbox for collaborative work and sharing. All too often these solutions only offer a baseline level of security and are not appropriate for enterprise activity where the information needs to be adequately protected from prying eyes at all times. They enable employees to share files and information without the knowledge of corporate IT, which can be potentially disastrous when, for example, having access to millions of customer details.

If you look at the lawsuits that have been filed against Sony for failing to protect customer and employee data following recent hacks, the reputational risks are clear. From a regulatory standpoint, the Financial Conduct Authority (FCA) wields tremendous power to dole out fines, and upcoming European legislation could see fines of up to 5% of global turnover for failure to protect data. This elevates the need to make sure that every possible route of data leak is plugged, especially as businesses can still be penalised even if the leak was accidental. The threat from individuals inside the organisation, including inadvertent data leak events, is now proven to be greater than from those outside.

Security and collaboration: the balancing act

So what’s the best approach to stopping the insider threat? Organisations/employees will always need to share information, and mistakes will always be made, but one way to overcome this would be to batten down the hatches, monitor all network traffic and intercept any network activity that could potentially lead to a data breach. However, this kind of approach to security can severely hinder workflows and therefore business.

Critical information takes many forms. It’s not just credit card information, or customer details, but it can be defined in many different ways all of which need to be protected, and all of which may have different policy needs. As such, a more flexible approach is needed: one that can filter out only the sensitive data – according to corporate policies – whilst letting the rest through unhindered. This next generation of Data Loss Prevention (DLP) technology is called Adaptive Data Loss Prevention and can be applied to all types of communication, from email and its attachments through to web and social media uploads, enabling businesses to collaborate continuously while ensuring that certain data is not shared with unauthorised parties.

At Clearswift, we’ve worked with financial institutions across the world to provide adaptive data loss solutions. Our unique Adaptive Redaction technology doesn’t only address ‘visible’ information that can be seen in emails or in documents, but can also remove ‘invisible’ information that has been hidden in meta-data and revision histories as well as removing potentially dangerous active content. As it is automatic and policy driven, it ensures consistency across the organisation.

Any information security strategy must ensure that it facilitates continuous collaboration while protecting critical information. Ultimately, critical information will always be critical information, and it will be ever increasing. Threats to information will unfortunately continue to increase from both inside and outside the organisation and new solutions which can adapt to the changing security and business needs need to be deployed in order to reduce the risks without disrupting the business.

By Dr. Guy Bunker, CTO, Clearswift