The financial services industry has seen a concerning rise in internal threat actors. While breaches owed to insiders have not yet exceeded those owed to outsiders, the convergence of the two breach sources is coming to a head. What does this mean for the finance industry and how can we help protect it on both fronts?
Burning the candle at both ends
According to Verizon’s 2021 Data Breach Investigations Report, approximately 44% of financial cyber security breaches were caused by insiders while 56% were caused by external actors. This fairly even split is certainly unique to this sector.
Education sees 80% of attacks coming from external sources and 20% from internal actors. In a similar vein, 82% of breaches in manufacturing are external and only 18% internal. On the other hand, 98% of breaches in the mining and utilities industries can be owed to outsiders, with a mere 2% due to insiders. We can compare breach sources across industries all day – but there’s no doubt that the finance sector’s passage to parallelism is distinct.
What’s really behind this convergence?
The top motive for cybercrime against the financial services industry is, well, you guessed it – financial gain. Around 96% of attacks targeted towards this industry are driven by financial intent, with espionage at a low 3%. However, can we correlate these motives with the main actions causing internal breaches? Perhaps not.
According to the report, a majority of internal breaches were accidental in nature. This means staff mistakenly sent emails to the wrong recipients or there was some other form of unauthorised disclosure. In addition, the main type of data compromised across all breaches was personal information (83%), followed by bank information (33%) and credentials (32%).
Personally Identifiable Information is doubly at risk
Considering the nature of the industry, as well as the top financial motive for attack, most people would expect to see financial data at the top of the list. PI, however, is typically the primary data compromised. Think of the massive Equifax breach from 2017 – where PI of hundreds of millions of people was stolen. Interestingly, only a small amount of these records included actual credit card numbers.
While the industry is plagued by ransomware – an attack directly focused on extorting money – personally identifying data is really the gift that keeps on giving. This is not to say that PI is more valuable than bank, TFN or other financial data, nor is it more valuable than an individual’s account credentials. PI though, further facilitates money grabbing scams and impersonations. When it’s stolen as a result of social engineering, phishing or ransomware, it can lead to the pot of gold at the end of the rainbow. Cybercriminals can use it for identity theft, monetary theft, fraud, public humiliation and more.
Evidently, PI is also at the heart of human error-based breaches. Approximately 79% of data compromised by miscellaneous errors across industries was personal information, with 99% of these breaches coming from internal staff mistakes, like sending an email containing PI to the wrong recipient. If this led to a customer’s PI falling into the wrong hands, who knows what damage awaits.
What is Personal Information?
Definitions range across countries and regulations, however, PI mainly refers to information that can be linked to an individual’s identity. The following is deemed PI under the Commonwealth Privacy Act (but here’s the GDPR definition as well as the NIST definition for your perusal):
- Your name, signature, address, phone number and date of birth.
- ‘Sensitive information,’ which includes information/opinion on an individual’s racial or ethnic origin, political stance, criminal records and sexual orientation.
- Health records.
- Bank and Credit Information.
- Employee Record Information.
- Tax File Number Information.
Addressing the Achilles’ Heel of financial cyber security
So, the real question is: how do we protect the financial sector and its valuable data from both internal and external compromise? The answer lies in education.
Again, when we look at malicious breaches, we see a pattern of credential compromise, phishing and ransomware. What is a common factor here? These attacks take advantage of the gaps in human defences and are typically successful when targeted at unwitting victims. Uninformed staff leave the gate wide open for trouble.
Further to that, breaches from insiders are often, for lack of a better word, blunders. With internally sourced breaches growing to meet external attacks in the middle, the financial sector can no longer stand for poor judgement and mistaken leaks.
Financial cyber security awareness training
Introducing a regular cyber security awareness training program is the key to combatting internal and external threats. By adopting a training regimen organisation-wide, you can get all employees on the same page, educating them on what types of data your enterprise holds, the significance of this data and what risks are posed to it.
For the financial services sector, informing employees on how to handle and protect data could mean a drastic decrease in internally sourced breaches. Knowledgeable employees understand the inherent value of both customer and company data and are thereby more mindful whilst dealing with it. This means a drop in unauthorised disclosure and accidental emails.
Awareness training programs further abate external breaches, teaching and testing staff on email security, password security, the dangers of malware and more. Educated employees are better prepared to spot external threats and are therefore less susceptible to falling for them. This means bolstering resilient human defences against today’s top threats.