Financial Conduct Authority (FCA) and Insider Threats – All You Need to Know

Is your firm capable of defending itself against cyber-attacks?

In today’s day and age, cyber-attacks are drastically increasing in number, scale, and aggression. Even a small attack can pose a huge threat and devastating results to financial services firms. Here at Compex-IT, cyber security sits at the heart of what we do, so, if your business is in need of some additional security measures, you’re in the right place.

FCA and Insider Threats

Following the ever-evolving challenges faced by members of the financial sector, the Financial Conduct Authority, have brought multiple financial services firms together, in order to collaboratively work towards increasing cyber security and operational resilience.

Since 2017, these Cyber Coordination Groups (CCGs) have been working hard to help firms protect themselves against threats by sharing knowledge, findings and good practises.

In the latest publication, one of the four key insights was with regards to the challenge of remote working and the changed ways of working. This has created challenges around ransomware, supply chain security and insider threats.

What’s an Insider Threat?

An insider threat is a malicious threat to a business that comes from somebody within the organisation, such as employees, former employees, contractors or business associates, many of which will have access to inside information concerning the organisation’s security practices, data and computer systems.

The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

What are the 3 Categories of Insider Threats?

  • Malicious insiders, also known as people who take advantage of their access to inflict harm on an organisation
  • Negligent insiders, also known as people who make errors and disregard policies, which place their organisations at risk
  • Infiltrators, who are external actors that obtain legitimate access credentials without authorisation.

What’s The Challenge?

Insider threats remain a large challenge for firms, especially across an ever-expanding security perimeter that includes suppliers, partner organisations and other third and fourth parties. This includes both malicious and accidental insider threats.

CCG members identified that one of the greatest insider threats comes from current employees who have privileged accesses or former employees who retain access privileges. This could allow them to access systems remotely.

Often current employees unintentionally pose their companies to additional risk with insider negligence – where employees don’t notice the warning signs of a phishing email, dangerous attachment, or spoofed webpage, for example.

CCG members also recognised that in response to enabling homeworking, insider threats have become harder to monitor. This is true of both malicious and accidental insider threats. Procedures, policies and other (digital and physical) control measures may not fully cater for this change.

What Can You Do to Prevent and Minimise Attacks?

You need an insider threat strategy.

At Compex, we highlight 4 key areas to our clients:

  • Ongoing Education

Training your team is at the core of avoiding negligent insider attacks. Cyber security training isn’t a one-off thing. Cyber-attacks are becoming increasingly sophisticated. Criminals will take advantage of any situation; be it the global pandemic, a change in legislation, or simply a new tax year.

  • Tailored Multi-layered Security

Of course, you need security software. You’re being trusted with the private data of your clients and employees. It’s essential to give your data the protection it really needs. We would highly suggest that you look into multi-layered security too. Different software that works together to create a higher level of security is the best way to keep your data as safe as possible.

We also suggest you implement multi-factor authentication across your apps, where you generate a login code on a separate device.

  • Restricted Access

Do you know who has access to which files within your business? Can everyone access everything, or are your files accessible only by those who really need them? The more people that have access to a file, the more likely it is the file will be breached. Restrict file access to those who need it. Make sure files are always encrypted. And consider password protection for the most sensitive files. Don’t forget the external partners who may have access to your data.

  • Business Exit Protocol

What’s your protocol for leavers? We know that some insider threats are malicious. It’s sad, but true. And a percentage of these malicious attacks are carried out by disgruntled employees who will soon be leaving the business.

If you don’t have one, create one, now.

You need to ensure that anyone leaving the business:

  • Has access to all accounts blocked
  • Can no longer retrieve any files; especially if they’ve previously accessed them on their personal devices
  • Returns any company-owned devices

Communication is Key

We all know that good communication is key when it comes to running a successful business. It’s likely you already communicate well with your employees, and this should be no different when it comes to security.

Please remember that not everybody is technology minded. It’s important that tell everyone why you do things the way you do them. And remind them regularly.

Without clear communication, you may discover the following examples a regular occurrence:

  • If someone fails to realise that files are restricted and password protected for security reasons, they might give the password to another employee to make information sharing easier.
  • If an employee doesn’t know the reason for using multi-factor authentication or a password manager, they may work around them, creating a security risk in the business.
  • One of your employees may forget a password and be tempted to quickly write it down in a notebook or on their phone.
  • If accesses allow, an employee may change a password to something more memorable, without thinking about the dangers.
  • Employees may begin to discuss passwords and sensitive information for others to overhear.

Clear communication across the whole company is a really important step in keeping your business and its data safe and secure. If people know what to do but don’t understand why they’re doing it, that’s a security risk.

If your cybersecurity is causing you concern, or if you’re in need of some advice then give us a call. We’ll consult with you on your current situation, where you need to be, and the right options for your business.