It’s been a long time coming, if you ask us. This year, for the first time ever, Insider Threat has its very own dedicated month in September to spread awareness and improve defenses. However, beyond National Insider Threat Awareness Month alone, investment management firms need to amp up awareness and protection around this common but often overlooked security threat. Today’s top notch firms differentiate themselves based on their own technology, and have long felt the pain of insiders exfiltrating critical intellectual property. Protecting quantitative trading logic, investment reports, trading models, term sheets and client information is top of mind — whether it’s driven by regulations like FINRA or knowledge of Insider Threat incidents at peer firms.
What Are Insider Threats and Why Do They Matter
Within the investment management space, Insider Threats occur when someone close to an organization with authorized access misuses that access to negatively impact the organization’s critical information or systems. This person does not have to be a privileged user – third-party vendors, developers, traders and even buy-side analysts may pose a threat as well. For example, as they’re jumping ship to a competitor, buy-side analysts sometimes take models and research from one firm to the next — by sending via email, printing the files or using a USB drive. In the competitive hedge funds and proprietary trading world, this type of malicious insider activity can cost firms significant sums of money. Similarly, due to poor security hygiene, a well-meaning quantitative code developer may mistakenly leave servers in the cloud unprotected. Whether intentional or accidental, user-posed risks to critical IP leave investment management firms sensitive to insider threats.
How common are Insider Threats? According to the Verizon DBIR 2019, 34% of breaches involve internal actors. That’s up from 25% in 2017. While insiders may not cause the majority of breaches, this type of threat is particularly difficult to identify and contain—and more costly than other types of threats. And lest you believe that accidents won’t cost just as much: negligence-based Insider Threat incidents cost organizations an average of $3.8 million per year.
Okay, enough of the scary statistics. Let’s talk about how to turn Insider Threat awareness into an advantage for your organization.
Detect, Engage, Assist
William Evanina, a former FBI and CIA official who heads the counterintelligence center behind Insider Threat Awareness Month, stated that the point of his agency’s campaign was to “help government and corporate organizations get ahead of the problem by bolstering their insider-threat programs so they can detect, engage and assist at-risk employees before they go down the wrong path.”
At ObserveIT, we often break these typical phases of Insider Threat defense down similarly: detect, investigate, respond. Now is the perfect time to sit down and analyze whether your business is able to effectively carry out each of these key steps.
Investment management firms are often run by mature security programs with a lean organization. These demands heighten the need for comprehensive Insider Threat detection system that can catch Insider Threats from both old-school vectors (like email, print jobs, USB usage) and newer technologies (such as file-sharing apps, cloud storage sync jobs, and more). On the people side, the most common risk scenarios ObserveIT’s hedge fund and trading customers face are quantitative traders’ and developers’ activity on trading servers, as well as analysts’ activity while working with key investor, project or client information.
Similarly, if your existing SIEM or UEBA can detect anomalous user behavior, but cannot correlate the critical IP with specific users to tell the whole security story, you’ll be wasting a long time (weeks, months, or even years) to piece together what happened. ObserveIT provides context around user and data activity to triage whether there is a human involved or malware infection, for example, and then to properly respond to an Insider Threat. Given a small team, you cannot afford your security analysts spending weeks on an investigation but coming up short on evidence around the investigation. With ObserveIT, this investigation time can be reduced to days, hours, or even minutes. New regulations like GDPR mandate efficient response times, public notifications, and more—so Insider Threat preparedness is no longer a nice-to-have.
Finally, if you do not have effective tools in place to respond to Insider Threats, costs increase alongside risk. After all, small but mighty security teams must rely on spreading good security practices to efficiently reduce this risk. Businesses must have user awareness and education programs and tools in place to decrease risk in real-time, alongside a strategy for responding in the event of an actual insider-caused breach. Despite the most copious of security and corporate policies, in most investment management firms, both developers and regular users have no shortage of alternative tools to use in their daily jobs. An Insider Threat Management solution like ObserveIT helps you incorporate regular device and application usage into everyday user education.
A Challenge: Stay Ahead of your Finance Peers on Insider Threats
With September as the newly declared Insider Threat Awareness Month, and October as Cybersecurity Awareness Month close on its heels, you have a perfect ready-made reason to bolster your Insider Threat preparedness. As you look to budgeting and planning for 2020, review your organization’s current people, processes, and tools as they relate to Insider Threats. In the midst of your analytical tools, do you have the basic ability to detect and respond to insider events that pop up on a daily basis, or in the event of an insider incident? If not, now is the perfect time to improve your Insider Threat posture.
Not sure where to start? Our brand-new Ultimate Guide to Building an Insider Threat Management Program is a can’t-miss resource. It features detailed plans and templates to get your Insider Threat Management Program off the ground or leveled up.