While the primary data security objective has long been to keep malicious actors out, it is important not to overlook insider threats. According to the IBM Cyber Security Intelligence Index, in 2014, more attacks originated as a result of insiders than outsiders. Moreover, the major cybersecurity enforcement action taken by the Securities and Exchange Commission (SEC) last year involved an insider.
In one of the major cybersecurity enforcement actions taken by the SEC, Morgan Stanley agreed to pay a $1 million civil penalty to resolve a case arising out of an employee accessing over 730,000 customer accounts without authorization.
Morgan Stanley had a policy limiting employees to accessing data on clients of the team they supported. It had built a system designed to restrict employees’ access in that manner. However, a Morgan Stanley employee, Galen Marsh, discovered a programming flaw in two areas of the system. After he discovered the flaws, he conducted almost 6,000 searches over a four-year period exploiting the flaws, then transferred the data to his own private server.
The data included customers’ full names, phone numbers, street addresses, account numbers, account balances and securities holdings. Marsh said he performed statistical analysis on the data to try to discover market trends and figure out how other financial advisors were investing in order to become a better advisor to his clients.
Morgan Stanley had installed systems to prevent employees from copying data onto removable storage devices, but its system did not prevent employees from accessing an “uncategorized” website like Marsh’s personal server. His unauthorized access was ultimately discovered when portions of the data began appearing on three websites. It appears that Marsh’s server was hacked, and the third party who hacked into Marsh’s server, believed to be Russian hackers, began posting some of the data online. Morgan Stanley agreed to pay the $1 million penalty despite having a policy in place and despite building a system designed to implement the policy.
Insider threats vary from unintentional to malicious
The Morgan Stanley case nicely demonstrates that insider issues go well beyond malicious insiders. Incidents like the Marsh one are sometimes known as negligent threats because, while Marsh knew he was violating the policies, he didn’t intend to do any harm. Another example of a negligent threat would be an employee who knowingly tries to get around strict file-sharing policies so that he or she can work from home.
Insider threats also encompass the unintentional or accidental, where, unlike a negligent threat, the employee does not even realize he or she is violating a policy or creating a vulnerability. Unintentional insider threats include vulnerabilities such as an employee leaving a laptop in a public place, accidentally posting information to the public portion of the website, or clicking on phishing emails. According to the Verizon 2016 Data Breach Investigations Report, 30 percent of phishing messages in various sanctioned tests were opened by the target, and roughly 12 percent went on to click the malicious attachment or link. Both figures were increases from the previous year.
Malicious threats refer to those where an employee is actively trying to misappropriate data, such as an employee motivated to steal information for financial gain or espionage. According to the data breach report, end users with access to sensitive data were roughly twice as likely as executives or system administrators to be the malicious insider. In short, malicious insiders can be any employee with access to the data. The report also noted that most such incidents are motivated by financial gain or espionage.
It is important to carefully consider insider threats because of the damage a cyberattack can cause, including financial and reputational harm. But it is also important to consider them because regulators are concerned about them as well. In addition to the SEC enforcement action, the Financial Industry Regulatory Authority (FINRA) highlighted insider threats in its 2017 Examination Priorities letter. When I was working on cybersecurity issues as a state regulator, we, too, were focused on the risks from insiders.
In our next post, we’ll cover how to mitigate the risks from insider threats.