Inside Jobs: Internal Threats Loom Large in Think Firm's Industry Chats
This scenario represents the biggest security challenge facing financial services companies today, according to a new report from Boston-based Aite Group.
Titled "Making Hay While the Rain Pours: Information Security Expert Perspectives on Financial Services," the report is based on interviews with 22 information security professionals at RSA's April conference in San Francisco.
In it, the research and advisory group argues that internal data breaches-whether from employees or contractors, deliberate or accidental-are the greatest threat facing financial services organizations.
"Given the nature of staffing cuts and disgruntled employees, it makes sense that the Zeitgeist of information security is all about internal data protection," report author Nick Holland said. "Controlling and recording access to sensitive information internally is becoming mission-critical, and no institution wants the stigma that could come from being the next Soci?t? G?n?rale or Heartland."
Interviewees reported that 60% of employees leave their jobs with sensitive information, the report said, making it critical for companies to establish procedures such as information access rights that can help ward off internal attacks.
"Particularly given the current climate of layoffs in the financial services industry and the lack of stringent controls over employee-access privileges, a culture of caution is advisable," Holland said.
The interviews revealed other threats to the financial services industry: malware, current online authentication requirements, the move to real-time ACH and the lack of investment in information security. Interviewees also pinpointed the top risks they expect to affect the financial services industry in the next five years: internal threats (coming in at No. 1), organized crime and the hazards posed during transactions made via the fast-growing mobile channel.
Aite Group said it did discover that financial institutions are doing their jobs when it comes to keeping external menaces at bay. Vendors have generally succeeded at blocking viruses, trojans and other forms of malware in the past three years, the report said, yet, outside threats still loom.
"While institutions have improved their baseline security posture with firewalls and antivirus capabilities, cyber-criminals have certainly not given up," Holland said.
In other positive news, the information security industry has weathered the recession well. According to the report, 86% of vendors said the recession has not had a negative effect on their business.
However, the recession has affected the budgets of financial institutions, meaning they have less freedom when it comes to buying services from information security companies. The report said that chief security officers struggle most with the justification of spending resources on information security.
"Budgets are hard to justify internally when threats are hypothetical rather than real," Holland said. "Making the case for resource allocation is a constant struggle, particularly in an environment in which budgets are increasingly scrutinized for excess fat."
However, financial services companies have realized they must spend money to fight internal data breaches. More than half of the interviewees said prevention of internal threats is at the top of the financial industry's budget allocations. This includes data loss prevention services, which help track employee activity and provide access controls.
Still, with tighter budgets, Aite Group recommended that information security vendors market their products by the returns they can make on customers' investments.
"We advise vendors to document case studies and create tools that can prove their product's worth," Holland said.
Through the interviews, Aite Group also identified the biggest challenge facing the card industry: magnetic stripes, which do not protect well enough against data breaches.
Instead, Aite Group recommended that card companies make it their goal to develop smart card architecture. Since cost concerns may delay this goal, the firm suggested that in the meantime, U.S. payment card networks form committees to "evaluate the migration path to a more secure payment architecture," the report said.
"It was interesting to note that the information security experts surveyed saw an intrinsic flaw in the magnetic stripe card, and, further, were knowledgeable enough regarding smart card architecture to suggest that the card industry needs to move to an EMV-type framework in the United States," Holland said.
But if only one piece of advice can come from these interview sessions, it's this: Financial services companies must prepare themselves for internal data breach threats, which have taken off due to increasing layoffs, and thus, more disgruntled and potentially malicious ex-employees.
Aside from establishing tools, policies and procedures to combat attacks, Aite Group recommended developing security policies that bridge the gap between information security and fraud/risk management.
"Developing communication between the two entities will help reap rewards in terms of more holistic protection and potential cost savings," Holland said.