(Updated 02/02/2021)
Investment management firms entrust their employees, vendors and contractors with valuable data, including confidential client information, which ultimately increases the risk of an insider threat incident. Whether it’s accidental or intentional, data exfiltration can be a costly problem for private equity firms, hedge funds, proprietary trading firms, and more.
With the rise in publicly-disclosed systems breaches and data leaks, along with the steady stream of studies and reports covering topics like the high average cost of insider threats, and the increasing reliance on vast volumes of data for business, understanding the insider has become a high-level concern.
In 2007, a KPMG study found that just 4% of all reported cyberattacks were caused by malicious insiders, and by 2017 that number rose to a whopping 89%. That’s a pretty substantial increase, highlighting the fact that the risk of Insider Threats is very real, and a very big deal.
Despite the wealth of data talking about insider threat incident outcomes, organisations want to know: what motivates the people behind insider threats, and what can be done to obtain visibility and mitigate the risk of incidents, all while preserving the privacy of the individual?
We get asked this a lot. The answer involves finding a holistic balance between People, Process, and Technology. (And yes, they are in priority order!)
Factors Motivating Insider Threats
People are driven by special, sometimes secret, motivating factors. The same goes for potential insider threats in your organisation. If you can understand that motivation or intent, you’re well on your way to mitigating the risk of an incident!
There are two main types of insider threat: malicious, and unintentional. Perhaps surprisingly, unintentional insider threats are the more common of the two.
Both types are either direct employees, contractors or vendors with special access. While we can’t claim to know them all, here are some of the more common motivations associated with each:
-
Malicious Insider Threat
- Emotions-based: If an insider is bored, depressed, frustrated, or angry based on a situation involving an organisation or workplace, there is a high likelihood that they may act out maliciously. For example, a frustrated employee may choose to work at a competing firm, and exfiltrate critical IP, such as investment reports, quantitative trading logic, pitch books, term sheets, client information, and more.
- Financially-based: This shouldn’t come as a big surprise, but money is a huge motivator for a lot of people. If an employee is suffering from financial hardship or is looking to improve their situation, there is an opportunity to exploit their insider position for monetary gain. For example, if an employee has visibility into critical infrastructure, they may exploit that access for illicit high-value activities, such as trading crypto-assets, crypto mining, or other blockchain technologies.
- Politically-based: While not as likely, there have been several published incidents of state-sponsored insider threat attacks, and corporate espionage. The primary drivers for these individuals may be national pride, political in nature, and even a mix of the other two types of malicious insider threat: emotional backlash and financial benefit. You may find these (and other types of malicious insiders, for that matter), searching for key project names, high-profile investors, or investment information.
-
Unintentional Insider Threat
- Lack of knowledge/understanding: If an insider isn’t necessarily tech-savvy or used to considering the security implications of their actions, they may be a risk for becoming an unintentional threat. This is especially the case if your cybersecurity policies are robust and overly technical in nature. Some examples include: sharing sensitive data and information on less secure channels (like cloud storage apps); accessing critical systems on insecure public Wi-Fi; requiring users to tag regularly used content with metadata, etc.
- Convenience: In the modern age, convenience, unfortunately, overpowers almost all else. If your cybersecurity policies and tools make it difficult for insiders to do their work in a quick and efficient manner, they will likely look to circumvent the in-place systems. Some examples include: pushing files to cloud storage apps when removable storage is banned; forwarding work emails to personal accounts to work remotely, etc.
- Misplaced technology: Work on-the-go is increasingly more common each and every year. As such, offices have become more mobile (as devices have gotten smaller). Besides the increased threat of prying eyes trying to get into these protected devices, there is an opportunity for insiders to accidentally misplace their equipment, making them a huge risk. Some examples include: leaving a laptop on a table at the local coffee shop; copying files to removable storage devices and then misplacing them.
Stopping Insider Threats in Investment Management
By knowing what types of Insider Threats are within your organisation, along with their potential motivations, it becomes easier to identify if and when your organisation has become a victim of an insider data breach or incident.
In other words, visibility is essential to mitigating risk. One of the world’s leading multi-asset alternative investment firms, Bain Capital, uses Proofpoint ITM to monitor user and data activity across its systems, so it can gain critical insights on data exfiltration blindspots (such as cloud storage, web, email, USB, print, copy/paste scripts, etc.). In addition, Proofpoint ITM can detect privileged user activity from quantitative traders and developers on Unix/Linux-based trading servers, as well as investment analysis activity on endpoints.
In addition to visibility, the ability to quickly investigate and respond to potential incidents (while remaining compliant with data privacy regulations) is essential for investment management firms. For example, leading independent wealth management firm Portcullis Group uses Proofpoint ITM to quickly identify and respond to anomalous user behaviour, while preserving client confidentiality and maintaining audit trails. Using Proofpoint ITM, security teams can solve the problem of too many alerts by providing user attribution, allowing lean security teams to quickly determine the root cause of an alert and dig into who did what, when, where and why. What’s more, Proofpoint ITM can prompt accidental insider threats with security awareness alerts to prevent the same behaviour from happening in the future.
Want to learn more about identifying and investigating insider threats with Proofpoint ITM? Try it free today.