Of all the focus areas in the recently released Finra cybersecurity practices report, one in particular caught my attention — Insider Threats. Addressing threats by insiders, like employees or consultants, can be especially challenging for advisors. Here are some key steps to can take to protect your firm.
An potential insider threat is defined as someone who has permissioned access to your systems. This could be as basic as having an email account under your organization, or as broad as having administration rights to all of your systems.
Of course, you want to be able to trust these individuals. However, there are steps to take not only to verify that your “trust” has not been compromised, but also to limit the overall risk and potential exposure.
First, create specific policies, procedures, and access rights for each insider role within your firm. There is never a one-size-fits- all approach as it relates to the permission rights. In fact, depending on the size, complexity, systems, number of employees, and other factors, firms typically have several categories or more of insider role permission rights. For example, a newer employee of your firm doesn’t need the ability to remotely log-in to the network. Nor should they have access to certain client files or private information. Therefore, a regular practice should be to actively adjust employees’ permission rights based on employees’ new, reduced or increased responsibilities.
Access Behavior A second step is to review the “behavioral” aspects of how “insiders” use your systems. For example, do they primarily access systems from the office, or occasionally log-in from home or even a mobile device? These may entail different connection points, and it’s likely you do not have the same level of control over each type of access point.
Specifically, maybe certain staff positions only require working from the office, and therefore the user credentials should not allow remote access to your systems. Not only can you control the connection points available to such an insider, but you can monitor how and when they access your systems. It could be a red flag if an employee, who rarely works outside of your main office, has a significant increase in their log-in activity from their home or other locations, or you notice logins during off hours.
Third, evaluate anyone who isn’t a “regular” employee of your firm but has permissioned access to your systems and data. This could be a consultant, IT support, outsourced service company, or any third-party provider hired to help support your business.
These types of insiders can be challenging to manage from a threat perspective because of the potential unknown variables. For example, how does your IT support company make sure that their employees do not compromise your firm’s private information? Bottomline, you need to ask these questions to minimize your risk of an insider threat from one of these types of business relationships.
Finally, and perhaps the most dangerous insider threat of all, is when an attack occurs and it is not seen as malicious at all. Meaning, the employee’s permission rights have been hacked and the hacker is now using your employee’s credentials, accessing your systems just like your employee, but is instead causing harm to your company. In this situation, time is of the essence. One vaccine against this type of threat is to require frequent password changes.
These steps should help reduce your overall exposure risk and help you hasten steps to correct a problem. For example, often the first question when an employee’s permission rights are compromised is: What did they have access to? If you have specifically controlled their access credentials, then you will have a better response to the potential risk areas.
Unfortunately, preventing insider threats, whether intentional or not, is a necessary requirement in today’s technology environment. It may feel like a constant uphill battle, but every step is worth the effort.
Dan Skiles is the president of Shareholders Service Group in San Diego. He can be reached at firstname.lastname@example.org.