Here’s why your employees are your biggest cybersecurity risk

The cybersecurity threat is constantly evolving and the day a firm believes they have achieved all there is to achieve, is the day they will fall foul to the next emerging risk; the Insider Threat, according to Tony Pepper, CEO at Egress.

If there is a way for a criminal to exploit a company’s digital operations to get money or cause reputational damage, cyberattacks will never stop. It’s a never-ending battle. Hackers and fraudsters are innovating in just the same way data security teams are working to protect businesses, and are coming up with more efficient, and sneakier ways of conning their way into systems or people’s wallets.

A study from Deloitte found that an attack can cost a criminal as little as $34 a month and net a return of up to $25,000. There are numerous other studies which show the sheer magnitude of the cyberthreat. Clearswift states that 70% of UK finance firms have been victim to an incident in the past year, BitSight claims nearly two in five companies have lost business due to poor data security performance, and Bearing suggests that 130,000 small business in the UK (around two-thirds of SMEs in the country) were hit by an external attack last year.

Whilst these external attacks often grab headlines, one of the biggest threats to companies is not even an external player. Their own employees are a major risk. The ‘human factor’ or ‘insider threat’ is tough for a company to cope with as it relies on staff being aware of what they are doing and being able to spot a dodgy email or a suspicious link. Or, even harder to manage and prevent; staff accidentally sharing sensitive information with the wrong recipient. Data security and compliance software company Egress recently received information from the UK’s Information Commissioner’s Office (ICO) which highlighted that human error accounted for 60% of personal data breach incidents reported since the beginning of 2019. Of these, one-in-ten of these reports had been made by financial firms.

Egress CEO Tony Pepper said, “Breaches that involve the ‘insider threat’ have seen a significant evolution in recent years. Staff are being targeted by increasingly sophisticated spear phishing and social engineering attacks, making it more likely that they’ll download malware or enter their credentials into a phony system.

“What’s more, with increases in unstructured data being created and shared digitally, it’s increasingly likely that people will make mistakes when handling this data. They’re much more likely now to send an email to the wrong person or forget to check all the tabs in a spreadsheet and disclose sensitive data. Finally, as more functions are outsourced, the perimeter between what’s ‘internal’ and what’s ‘external’ has changed – so it’s not just their own systems and staff that firms need to ensure are secure; it’s their contractors and suppliers as well.”

The risk of insider breaches will, particularly those caused by human mistakes, continue to increase when people are asked to handle more sensitive data in their daily job, he continued. Financial institutions are always going to be a massive target and so it’s their duty to ensure they can safeguard their customer data.

While it was always important for a firm to protect their customer’s data and ensure robust security systems are in place, regulations like the General Data Protection Regulation (GDPR) have made it even more paramount. The regulation came into effect on 25 May 2018, and with it, the prospect of hefty fines. British Airways and Marriot International have just been two of the companies to be smacked with a hefty fine for failing to safeguard their sensitive customer data. The ICO fined British Airways £183m in July while Marriot were hit with a £99m penalty in the same month. With other regions looking towards the EU’s GDPR as an example, other data protection regulations are beginning to sprout up around the world.

He added, “This new era of data protection not only comes with harsher financial penalties for non-compliance but also a greater level of scrutiny in the media and by consumers now that data protection is such a topical issue. Good security will help firms to avoid the financial and reputational damages as a result of non-compliance with regulations.”

Companies like Egress are helping organisations to protect their unstructured data and maintain compliance with regulations like GDPR, the California Consumer Privacy Act, and the NYDFS Cybersecurity regulation. The company, which raised $40m in a Series C late last year, uses AI technology to help organisations prevent miss-sent emails as well as ensuring the end-to-end protection of sensitive information shared via email or online collaboration and file sharing. In addition, their e-discovery and analytics solution helps organisations ensure full auditing and compliance requirements are met.

Data security companies are key to help organisations improve their data protection efforts. Pepper said, “Technology has taken significant steps forward to address these risks in recent years. Advances in machine learning and advanced DLP technologies mean that it’s now possible to detect when an employee is about to leak data via email, both accidentally and intentionally. Admins and users can be alerted, and mistakes can be prevented before they’ve even happened. Similarly, technology is making it easier to spot and prevent those more sophisticated phishing attacks by analysing the level of risk associated with factors such as the originating domain or links contained within the emails.”

“As ever in cybersecurity, more always needs to be done! The day we say we’ve achieved all there is to achieve, is the day we fall foul of the next emerging risk – whether that’s coming from outside or within financial firms.”

There is a clear understanding in the financial market that cybersecurity is not an optional luxury. It is a necessity. A study compiled from Lloyd’s Banking Group found that financial institutions in the UK have upped their priority towards cybersecurity technology. It found that 70% of the UK institutions stated investing into data and cyber security is a priority, up from 46% in 2018. While the technology is becoming a bigger priority, there is still much to do to update outdated systems. Cyber security infrastructure itself may also need to be changed in certain institutions, as threats have changed dramatically over the years.

“Adoption has improved in recent years but there are still some legacy systems that need replacing with the latest innovations. However, we know there’s appetite within financial firms – from the large enterprises right down to smaller firms – to move in this direction. It’s the responsibility of vendors in the market to help make this process as smooth as possible by making our technology intuitive and easy to use.”

It seems hard to believe, but the digital world will continue to become a bigger part of our lives and with it will be more types and volumes of sensitive data. While attacks will never end, Pepper does believe there will be a decline in the number of data breaches. He concluded, “Security issues are at the forefront of public thought in a way it has never been before, which ultimately means that board-level execs are starting to allocate more resources to security measures. This is a good first step – but they also need to ensure these resources are applied in the right areas.”

To hear more from Egress, they will be speaking at the Financial Services CyberTech Forum on 24th September in London.

 

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.