Prolonged remote working and the pandemic's potential impact on mental health have led banks and cybersecurity experts to warn of a growing challenge around insider threats, and it could be a costly affair for those organizations that fall victim to this form of cyberattack.
As the pandemic sent staff home across the globe earlier in the year, it created the perfect environment for cybercriminals. But while banks and financial firms rushed to gear themselves up against growing external threats, they may have to look within their organization to address the next big cyber risk.
Challenges around insider threats are "significant" in the current environment, said Mike Brookes, head of cyber intelligence at Barclays PLC, speaking at the Sibos annual financial services conference Oct. 7.
An insider threat is when an internal actor, such as an employee or contractor, poses a security risk to an organization by misusing their authorized access to critical systems or information.
Not only does remote working provide more opportunities for an insider to operate, it also makes it more difficult for internal security teams to investigate insider threats and deal with an employee under suspicion, Brookes said.
One challenge is that banks oftentimes have not deployed technology that enables them to track behavioral anomalies on employee laptops, making it harder to spot insider risks in a remote environment, said Tom Kellermann, head of security strategy at software company VMware, in an interview.
Mental health issue
The nature of COVID-19, being both a health and economic crisis, as well as one that leaves people more isolated than ever, could be making things worse.
"One of the things that we really need to be cognizant of as we progress further on into the year is the stress of the world that we're living in and the impact that's having on everyone," Brookes said.
The pandemic's long-term impact on people's mental wellbeing and morale could tip some employees over to become an insider threat, he added.
"Employers are concerned that their employees are under an undue amount of stress," said Wendi Whitmore, vice president of IBM X-Force, in an interview. "That's an effect of the larger pandemic, and just the work environment that we are all in." IBM X-Force is a business of technology company IBM that provides security research and threat intelligence.
Whitmore said clients have been increasingly concerned about insider threats and how to detect high-risk workers since the pandemic started. Her team is responsible for investigating data breaches of enterprises globally and works with cases weekly where insiders are suspected to be involved, she said.
"Having been in the industry almost 20 years, I certainly have not heard the volume of questions I'm hearing on that topic that we are today," she said.
While malicious insiders intend to cause harm to the organization, insider threats can also be accidental, coming from misconfigurations or other types of human error, according to Whitmore.
Aiding a criminal
A malicious insider could provide a cybercriminal with knowledge of how systems and processes work, and where to find the most critical data, Whitmore said. The aid of an insider typically enables an attacker to go unnoticed for a longer time after initiating an attack, making it more effective, she added.
For that reason, breaches caused by malicious insiders are often more costly for an organization than other types of breaches. The average cost of such cyber incidents, across sectors, is $4.37 million, according to IBM's Cost of a Data Breach Report 2020. In comparison, the average cost of data breaches caused by system glitches is $3.38 million and human error $3.33 million.
The figures may well be higher for the financial industry, which is among the three industries that incur the highest costs when victim of a data breach, according to the report.
Insiders can also help hackers to best monetize an attack, for example by guiding them on where to access valuable nonpublic market information, Kellermann said.
Or they can provide recommendations around technological interdependencies that could provide access to a bank, he added. Technology vendors, service providers and other partners are increasingly used as a route for cybercriminals to target the primary financial institution. This method, also called "island hopping," is now observed in 55% of cyberattacks recorded by VMware's 2020 Global Incident Response Threat Report.
Addressing insider threat
Organizations have a range of tools and techniques at hand to address insider threats. They need to put in place effective authentication and access logging for their most critical systems, while also limiting escalated privileges to them, Whitmore said. Endpoint detection and response tools are another way in which security teams can detect malicious activity on endpoint and understand the chain of attack, she added.
But processes and technology aside, banks and financial firms might have to start looking at insider threat first and foremost as a human resource challenge. Particularly for those people in cybersecurity roles, the job comes with "constant pressure," and the global pandemic is only adding to this, according to Jonathan Pagett, acting chief information security officer at the Bank of England.
"In cybersecurity, there isn't ever the end of the day, because we're constantly being attacked," he said, also speaking at Sibos.
Due to a high rate of burnout, the average tenure of a chief information security officer, or CISO, is just 26 months, according to a study by Nominet earlier this year, which interviewed 400 CISOs and 400 C-Suite executives in the U.S. and U.K.
"Our people are at the heart of our ability to tackle cybercrime," Pagett said. "I feel a lot of attention is always placed on improving the technology, improving processes; I actually think we need to focus on the mental well-being of our staff."