Support Learning and Insight

It’s more important than ever to understand the challenges facing financial executives. Support the Financial Education & Research Foundation today.


Protect Your Organization’s Data. And Its Bottom Line

by Mike McKee

Protecting data means adopting a proactive approach to training and implementing the right technology to keep the organization’s assets safe.

As businesses continue to evolve to maintain competitive advantage, meet customer needs and hire and retain top talent, it is more important than ever for them to protect their intellectual property, financial data and the personal information of their customers and employees.  Because a range of people have access to the organization’s systems and data – from full-time employees, to privileged users, to trusted third parties -  it’s extremely important that organizations are protecting it. The best way to do so is by adopting a proactive approach to training and implementing the right technology to keep the organization’s assets safe.
A recent study from The Ponemon Institute shows the average annual cost of insider threats is now $8.76 million. However, in the same study, 34 percent of respondents reported that a lack of budget was a major barrier to effective threat management. And, the 20th annual EY Global Information Security Survey (GISS) found that 87 percent of organizations say they require up to fifty percent more funding to protect their organization from insider threats.
Insider threats can impact a firm’s bottom line and can have far-reaching effects in terms of reputational damage – if the organization isn’t prepared. A proactive approach to insider threats can save organizations millions of dollars and significantly reduce the resources required to investigate incidents.
So, how can financial executives plan ahead to create an effective and proactive cybersecurity strategy that will ensure they can leverage data effectively and securely while reducing the potential impact of insider threats? Here are a few strategies they can implement:
1. Get Real About Insider Threats
Many companies don’t realize how common insider threats are and, as a result, they do not allocate budget to prepare for and prevent these scenarios. Since 2016, the average number of incidents involving employee or contractor negligence has increased by 26 percent, and by 53 percent for criminal and malicious insiders. There is a large discrepancy between the potential costs of insider threats and the money that is being set aside to manage and prevent these incidents from occurring in the first place. When organizations build their cybersecurity budgets, it is important to keep insider threats in mind.
2. Understand Your Threat Profile—Down to the Numbers
It’s common for businesses to build a cybersecurity budget without doing any major introspection on what types of threats they are the most likely to be hit with. Research from IBM found that 60 percent of all cyberattacks are carried out by insiders, so, if organizations are fielding insider threats 60 percent of the time and outsider threats the rest, the budget should naturally have a similar breakdown.  
There are a few ways to calculate the amount of budget that should be allocated to various threat types. The first is to research security trends, both globally and within your organization’s industry or sector. While security threats are constantly evolving and difficult to predict, looking into the organization’s history with threats can sometimes provide valuable insight into potential vulnerabilities. For example, if possible, examine hackers’ inroads of choice in the past. Ideally, organizations should take both types of data into account when building out their cybersecurity budgets.
3. Study What Effective Insider Threat Tools Look Like
Many cybersecurity tools on the market claim that they can help organizations manage insider threats, but this is often not the case.
  1. Privileged Access Management (PAM): While PAM can be valuable for keeping an eye on employees with access to the organization’s most critical information, they fall short when it comes to protecting the full employee base - a prime avenue for information loss.
  2. User Activity Monitoring (UAM): Monitoring activity is important, but without the proper alerts and playback capabilities, organizations don’t have the information to address and mitigate risky behavior.
  3. User Behavior Analytics (UBA): UBA systems can be helpful for detecting anomalous behavior but they’re not enough for detecting true insider threats and malicious leakage, which requires context around non-IT data (personal information, travel records, etc.).
  4. Data Loss Prevention (DLP): While a DLP can help organizations achieve compliance, they require significant upfront and ongoing data classification to be effective and often fail to detect threats in real time because it is easy to bypass.
4. Understand Security Cost Centers
What exactly should go into a cybersecurity budget, particularly to prevent and contain insider threats? The Ponemon Institute’s Cost of Insider Threats report contains an example activity cost center across three different types of incidents: Employee or contractor negligence; criminal/malicious insider; and credential theft.
To decrease liability in the event of these types of threats, a budget should address monitoring and surveillance, insider threat investigation, escalation, incident response and containment. Further, for after events happen, organizations need to ensure they’re set up for post-event response and remediation.
5. Account for Extraneous/Unexpected Costs
Unfortunately, the cost of not setting up the right budget parameters for detection, investigation and remediation can be extremely costly for an organization in the long run. Many of costs incurred in the wake of an insider threat incident fall outside of the immediate incident-related cost centers. For example, the European Union’s updated General Data Protection Regulation (GDPR) gives regulators the authority to fine organizations up to 2 percent of their global annual turnover for failures relating to a breach, and up to 4 percent if an organization significantly mishandles the response.
How to Accurately Budget For Any Type of Threat
The time is now to take proactive action before a costly incident takes place. Being equipped with the right information can help you make the right insider threat management investment to protect your organization’s data, systems and employees while maintaining your competitive advantage. With the right people, processes, and technology you’ll be prepared to prevent insider threats from happening.
Mike McKee is the CEO of ObserveIT.