Why employees can pose the greatest security threat to financial services

By Jamie Graves | 13 July 2017

We all know an exemplary and hardworking employee at our place of work. Let’s use the fictional Caroline for example, who works at R.G. Financial Solutions. She’s a respected project manager; the grease that keeps many of the gears turning at the firm. But with so much on her plate, Caroline can sometimes be a bit scattered.

Often away from her desk, Careless Caroline doesn’t always lock her workstation. Instead, she relies on the screensaver to kick in and lock it for her. When she comes back she’ll check her top desk drawer (not locked) for the sticky note with her network password written on it, just in case it slips her mind. Unfortunately, one of her co-workers has noticed Caroline’s tendencies, and has decided to capitalise on the opportunity presented to her. When the time is right, she’ll make her move.

As soon as Caroline leaves for her meeting, her desk mate Meg gets to work. After a few minutes, she’s exploited the top-drawer sticky note (the password now recorded in her phone), as well as Caroline’s file access permissions, and has a full portfolio of project plans and notes that Caroline is planning to present.

A little bit of data manipulation, and Malicious Meg will be the one they look to for the upcoming job opening as lead project manager.

Caroline isn’t a malicious actor; there’s no motivation to steal, destroy, or otherwise harm her organisation’s data. But unfortunately, she’s a very ubiquitous character in today’s businesses.

IBM reckons a quarter of insider threats are accidental. And you don’t have to look too far to see some high-profile examples of this – take the accidental data leak of 200 million US citizens last month.

Whether it’s leaving a workstation unlocked, writing passwords on sticky notes, allowing strangers to tailgate when she swipes into the office, or clicking on links without first understanding who sent the link or why, Careless Caroline’s everywhere are letting the bad guys in regularly.

How to handle a Careless Caroline

To put it bluntly, few technical controls can actually help stem this tide; if you want to help Caroline be more careful in her day-to-day dealings, combining education with certain technology is key.

With the technical side of things, it is less about detecting Caroline’s own activities but instead having a 360-degree visibility of the entire data flow within the organisation. This can help detect any risky behaviour of those trying to take advantage of her carelessness.

Caroline’s mistakes should be handled through an educational approach, rather than a disciplinary one. Show her what she is doing wrong and ensure that she’s clear about how to avoid making simple, but potentially very damaging, security mistakes going forward.

These situations call for a gentle hand, yet a stern warning. Careless Caroline should be informed that under no circumstances should she be providing avenues for infiltration by malicious actors. You do not want to make Careless Caroline feel as though she has done something terrible, but you should be able to provide enough real-life examples to help highlight the importance of security awareness. Once the offenses are listed off, and the point has been made, it’s time to provide security awareness training to (hopefully) ensure that these incidents are minimised. The team you’ll need are:

Cybersecurity operations to provide security event data where required, and provide security awareness education.

Management team to provide a performance improvement plan for Careless Caroline from a security awareness perspective.

Human Resources to provide oversight in creation of the performance improvement plan, highlight consequences if compliance is not achieved.

By implementing some fundamental best practices and a security-aware culture across the business you will help to improve the education of your workforce and catch these cases of careless mistakes before they become problems.

Handling unintentional insider threats is hard. With a malicious actor, an insider threat policy can dictate what happens when said actor crosses the line. If there is no malicious intent, all you can do (at first) is educate, monitor, and hope for the best. By and large, employees want to do the right thing by their company. However, repeat offenders, of course, may face dire consequences, but how many “mistakes” is too many? That is a question that you need to decide upon as a business.