Financial institutions must address the insider threat

The case of data theft at Julius Baer is a stark reminder of the need to protect confidential information from being exploited by employees. On the whole, banks trust their employees. However once they have successfully passed security checks granting them access to confidential information, the trust initially granted could become misplaced, should employees feel motivated to exploit their access to sensitive data.

Although the ratio of insider threat, to external threat is still small, the impact is often greater due to the fact that the insiders:

1. are trusted
2. understand their domain
3. have privileged access to information

There is a need for regular reminders to employees on acceptable use of a bank’s IT system. User activity monitoring (UAM) and data loss prevention (DLP) solutions need to be implemented and active from the outset. These tools highlight user behaviour, the information they have access to and what they do with this information. In some cases, solutions are deployed reactively, and this may be the reason Julius Baer has had to investigate the issue after the effect. This has resulted in the company suffering some reputational damage.

When defining the business impact of internal data theft, to an organisation, it is often difficult to articulate what that equates in terms of monetary value. In the case of Julius Baer, there was a settlement of €50 million last year, the cost of carrying out the investigation and an unquantifiable amount of reputational damage. When trust in banks is at an all time low, reputation equity is of immense value to a bank.

When considering the monetary impact in this case, one way of doing so is to compare the cost of paying the settlement against the cost of implementing an adequate security solution. By comparison, the cost of deploying better security is significantly less than €50 million.

Banks need to be more proactive in their approach to the insider threat. Internal policy must explicitly define best practice, and at the same time deter employees from breaching policy by communicating the criminal consequences of such activity. All information, both confidential and public, belonging to an organisation needs classification. This will allow for more efficient monitoring, detection and ultimately the eradication of confidential data being passed outside an organisation.

Financial institutions need to define security policies relevant to their business and ensure employees understand their significance. There must be continual security awareness training for employees, supported by senior management.

Every business wants to avoid security breaches, both external and internal. The main problem with internal breaches is that when it occurs, everyone questions how it was possible and not stopped before it either took place or became so severe. It is too costly – both in monetary and reputational terms – not to do so.