With more than two decades of experience leading technology and information security teams at major blue-chip U.S. financial firms, including Morgan Stanley and Goldman Sachs, David Reilly understands the importance of evaluating and mitigating insider security threats within banks and investment firms.
“Insider threats are a challenge across industries, not only for financial services. The attack surface for insider threats has increased over the past few years,” said Reilly, who joined the boards of Safe Security and online banking fast-mover Ally Bank this month.
For example, system administrators and database administrators with privileged system access to critical information “undertake activities every day that need to be closely monitored,” he said. “That extends to third-party vendors with access to critical networks. All are adding to the risk landscape.”
Most recently having served for roughly a decade as a CTO and later CIO of global banking and markets at Bank of America, Reilly stepped away from that role in October 2021. He said he is aware that hugely and quickly shifting work situations for financial past two years have greatly impacted the insider risk.
“With remote work, the threat profile has further changed,” he added, “and is driving the need for security and risk practitioners to look at quantifying the risk posed by each employee, third-party, and application access to ensure that data is protected from all aspects.”
It’s commonly understood at this point that the damage wrought by insider-driven network compromises are typically far more damaging and costly than ones where employees are not involved. According to the 2022 Ponemon "Cost of Insider Threats Global Report," cyber incidents that originate through malicious, negligent and compromised corporate employees have increased 44% in the past two years. The cost of breaches caused by insiders has risen by more than one-third over previous years to $15.38 million. The time to rectify an insider breach also increased, from 77 days to 85 days, leading organizations to spend the most on containment.
Indeed, even before the pitfalls of insider malfeasance and mistakes were widely known, Bank of America was one of the first top-tier U.S. financial institutions to capture headlines 11 years ago when it was reported that employees at the second largest U.S. bank had run up at least $10 million in losses through a fraud scam.
When “comprehensive risk qualification” is implemented, Reilly said that financial institutions can elicit “actionable insights which the security teams can use to prioritize remediation actions and tailor cybersecurity education for the company.”
Reilly said that globally, “there is an emerging drive to bring consistency to the reporting of cyber risk, [which] will further help set and understand risk tolerance inside an organization. To assess, prioritize, and mitigate cyber risk, including insider threats, consistent quantification and measurement are key.”
While most large, well-established enterprises, especially financial firms, already can boast a set of metrics and practices to assess and set risk tolerance, many have yet to agree on “a standard way to do that across companies and market segments,” Reilly said.
He compared this tracking of potential insider threats to “a chart of accounts and financial statements that allows for a standard language to discuss financial risk — that type of standard is one we lack for cyber risk.
“This is where the right cyber risk quantification and management platform can help, with the right set of consistent metrics to track and report these risks,” he said, “which can help security and business leaders prioritize and communicate cyber risks even more effectively, internally and across industries.”