This in-depth session was hosted by Brita Bayatmakou, senior director of the Cyber and Analytics Unit at FINRA, and she was joined by Jason Beachy, section chief at the FBI, Tracy Saale, chief conduct and ethics officer at Charles Schwab, and Greg Markovich, senior director in the Cyber Enabled Fraud Group at FINRA.
The session started with an audience survey – does your organization have an insider threat program or a dedicated team in place to combat this? Yes – 76%; No – 24%. The panel moved onto the question of what an insider looks like. Markovich said that this is a piece that is often overlooked in a cyber program.
Insiders are those with access to critical systems, customer data, confidential data and can include IT vendors as well as internal tech teams and other administrative and operational employees. Why do insiders act in this way? This is usually malicious (and reward driven) or by accident (most of the cases are in this category) or caused by a disgruntled employee.
95% of insider incidents are without malice, though malicious insider risk is on a growth trajectory.
A recent incident that Markovich had seen involved a programmer who left a firm and went to a new BD where they needed to set up a new database system and structure that he had worked on similarly at his old BD. As his access had not been properly terminated, he went back in and downloaded the data structure he needed but unwittingly downloaded the entire customer database at the same time. He said 95% of insider incidents are like this and without malice, though malicious insider risk is on a growth trajectory.
There are two practical routes to follow. Training increases awareness which can significantly reduce the risk of accidents occurring. Malice must be combatted with controls and monitoring where the imperative is to get out ahead of threats.
Beachy said that the reason people do this is for reward or the ability to re-sell data or IP to national security actors and/or criminals. The targets can be corporates or government entities.
Threat landscape
The threat landscape has shifted in the last four years. Many have moved to remote and hybrid work models. While motivators have not changed much, technology has and the sophistication of the actors has too. Cyber hygiene has not advanced, allowing those with a grievance to be exploited more easily.
Markovich stated that work from home generates more risk as people are online more, and offers to sell your credentials and access to bad actors are more numerous and higher in value. Training can raise awareness of the threat of social engineering especially if realistic examples or roleplay are included.
A FINRA firm was targeted by a sophisticated player who deliberately went after insiders working from home. The actor created a persona on LinkedIn that claimed he was also an employee at the same firm. He blasted as many ‘co-employees’ as possible. Not that many replied but the ones that did were then groomed before a bitcoin calculator was revealed that the bad actor said people might like and suggested that they try. It did calculate bitcoin but it also took over their machines and recorded their keystrokes. Luckily this firm had excellent controls and identified the unusual access very fast before any damage was done.
With the increased reliance on third party outsourced suppliers, the question arises what level of due diligence is required from a cyber perspective. Saale stated that extra controls are vital so that any data they hold and handle is at least as protected as it would be in your own environment. Contracts need to be framed to account for this. Language should be appropriate, and terms to cover reporting, escalation, audit rights and policing of these conditions. Inclusion of checks conducted on credit as well as criminal history are advised for those who have access to the data (your most precious jewels).
An elevated level of scrutiny and limiting access to the bare minimum are core standards to put in place.
An elevated level of scrutiny and limiting access to the bare minimum are core standards to put in place. Data location and the regulatory requirements attached to that also need careful consideration.
GM added that some small firms are not as well-resourced but can stay on top of outsourced IT providers that alerts them to who and when their data is accessed without investing in a sophisticated IT monitoring tool.
While external actors generally originate the largest volume of damage compared to internal insider threats, the damage is disproportionately large in the latter situation. Usually external actors need to overcome obstacles to get within the perimeter. It is highly recommended to build an insider threat team which includes a senior group and is sponsored at executive level. If HR and Legal teams are included in the reporting and training, this will make them feel invested too.
Partnerships
The FBI offers partnerships to all sizes of firm locally to strengthen protection. Each regional office has a private sector coordinator environment in which any firm can be involved. It is best to activate this relationship before a problem occurs. Do it early! There are no costs and it initiates a relationship with law enforcement and the intelligence community. It can provide loss mitigation in the event of a crisis and cuts out the inevitable delays if this process is initiated during a crisis.
The panel all agreed that the recent FINRA guidance that was released in April on cyber issues and insider threat was a useful guide. Markovich added that when building an insider threat program, there is a real need for a continuum to be in place so that it evolves over time. Larger and more sophisticated firms have a mix of team and tech that can follow behavioral change that enables monitoring and reporting.
Smaller firms need to be more practical and tactical. They need to know exactly where their most important data is. There are some basic data loss prevention tools that are affordable. Most email platforms have this capability built into the software and this is one of a few key building blocks that need to be in place.
Saale added that insider threat and cyber control can seem a bit impenetrable at some firms – it is worth having internal allies and senior management needs to be educated on your approach and the potential risks. This should include data exfiltration, unusual access and downloads, complaints, abnormal trading, misconduct etc. By looping in HR, Legal, the Social team, Corporate Security and Internal Investigations, it is possible to connect the dots and then a full picture starts to emerge. This can provide a map of possible insider threat. It does not need to be formal working group but a regular meeting to focus attention and bind the collective team together is of value.
Trend analysis and awareness on what is happening at your peers will keep a program up-to-date.
Role play can help – if A happens, then B… This means that people can prep how to handle an incident and the reporting. Post mortem after an incident is also useful. Taking something that has been in the news and playing it out at your own organization is also revealing. A table-top exercise might be where there has been anomalous access to logs, an employee does not come to work the next day, then $3m has disappeared. How did this happen? How does the firm adapt to prevent it again? What resources need to change etc?
Beachy felt that trend analysis and awareness on what is happening at your peers will keep a program up-to-date. Senior management need to support it and once the program has been created and distributed, they must take it seriously and all be involved. Make it clear that anyone seeing something will be heard. The reporting mechanism must be something people believe works and will generate action. The overall health of the organization is at stake. Independent reporting should be enabled, with multiple escalation paths and it must all be anonymous with zero fear of retaliation and an understanding of what action will result.
An audience survey asked if insider threat programs included monitoring of third parties with critical access to a firms’ systems? Results – 77% Yes; 23% No.
Best practice
Markovich covered best practice around employee termination. A procedure to remove systems access needs to be in place so this happens on the day of departure and at worst within 24 to 48 hours. It can be valuable to perform a reconciliation of systems access to HR employee records on a regular basis to establish gaps. Saale added that remote employees often have firm equipment at home and there needs to be a process for efficient recovery of that. He has seen a mix of approach where some firms accept they will lose the equipment – others use the police to go recover it! Policy needs be established up front for all to see on this.
Markovich said that some users with privileged access can present challenges. Good controls are needed for outsourced roles as well as full-time employees to monitor access. It is worth trying to apply the principle of least privilege and the separation of duties as foundational and the core of any solid program. Bad actors who access an environment can result in automatic beaches of a slew of rules such as 3110, 2110, 4370 and others related to confidential data and business continuity that the firm will then be responsible for. The reputational risk and the potential for harm to customers are key issues here that need to be considered.
The panel members each gave their one key takeaway after a great discussion. Beachy said insider threat is a team sport and this is how the opposition win so we need to do the same and work as a partnership, and plan accordingly. Saale stressed the importance of training to help demystify insider risk as it is something that everyone in a firm is responsible to mitigate – it is a human problem, not a technical one. Markovich recommended an insider threat tool that was published recently as well as internal monitoring, being alert to technical indicators, behavioral changes among staff, and service providers accessing systems at unusual times.