This is part two of a two-part series examining the lessons that emerged from the Cash App breach. Click here to read part one, "Cash App breach demonstrates threat posed by past and present employees."
The recent news that Cash App’s investing unit fell victim to insider attack not only affected the customers of that financial application. It served as a reminder of how increasing employee departures (due to layoffs or “Great Resignation” departures) can impact financial firms and their customers.
Last week a Securities and Exchange Commision (SEC) filing emerged that revealed a former Cash App investing employee exposed customer data from 8 million accounts in December.
“This type of breach occurs more widely than most people may realize and is a textbook example of why the rapid removal of privileged access during employee terminations is an essential hallmark of strong cybersecurity programs,” said Andrew Moyad, CEO of Shared Assessments.
One of the most common findings in service organization controls (SOC) reports over the last decade has been the absence of timely revocations during employee termination. As Moyad said, “Block, Inc. (Cash App’s parent) is not alone here.”
“Sadly, with so much industry focus on investments in technology solutions to fend off” malware, ransomware, and other external attack vectors, “we often overlook the insider threat and the risk from human factors as a predominant cause of security breaches,” Moyad said.
Compounding this fact is that financial services is among the most targeted sectors by cybercriminals. This leads to increasing burdens for security teams across the sector, particularly as many organizations transition to digital services to meet customer demand.
Hence, insider attacks stand as “a stark reminder that network hardening also needs more focus on the inside of an organization, not just against outside threats,” says Moyad. Large or small, no organization is immune to this type of risk, and this is one of the most common... security challenges for any organization.”
The complexity of ensuring that all employee access is removed in a timely manner at the end of employment is rarely an easy task. According to research from Okta, the average business has dozens of individual applications deployed and larger organizations usually have hundreds.
Josh Yavor, CISO for Tessian, said that the payments industry is far more “mature and highly regulated” than other counterparts. “Generally speaking, payments providers are more likely to be effectively managing this class of risk compared to organizations in other markets,” he added.
That said, no controls are ever perfect and some level of risk always exists. This may be compounded among finance organizations that see rapid transition to digital services, amid increased targeting by bad actors. Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, pointed out that the data breach incident that Block disclosed about a former employee who downloaded highly sensitive customer information accentuates the threat posed by the 'inside job.'
“We often focus on threat actors working on the outside of our perimeters trying to get into the enterprise environment and thereby compromise data,” said Shadabi. “But people on the inside have a leg up because usually they have some access to the internal network environment and IT resources.”