The payments industry is built on trust, so it’s natural that fintech companies are hyper-focused on protecting their customers’ transactions and PII. Fast-moving fintech companies must take a number of risks into account – and there is one major risk to the health of the business as a whole that has nothing to do with customer data – it’s a risk that is targeting IP, trade secrets, the “crown jewels” of fintech companies. Insider risk is any user-driven data exposure event — security, compliance or competitive in nature — that jeopardizes the financial, reputational or operational well-being of a company and its employees, customers and partners. Thousands of such events occur daily, stemming from accidental user error, employee negligence or malicious users intending to do harm.
The 2021 Verizon Data Breach Investigations Report shows that almost half of all data breaches in financial services were caused by internal actors — a fraction that has been slowly increasing since 2017. And while this growing insider risk is slowly getting more attention in fintech, most companies are fighting the problem in an outdated way that may ultimately do more damage to their competitive advantage.
Insider Risk Soaring in Flexible, Agile Work Culture
Fintech companies have always prioritized speed and agility to foster cultures of fast-paced collaboration and innovation. Your company’s ability to generate, refine and bring new ideas to market really is your competitive advantage. But that flexibility and agility surged to an entirely new level over the past two years. With the shift to remote, flexible, decentralized work arrangements, your employees have been uploading, downloading, syncing-and-sharing their way through every workday. In the Work-From-Anywhere world, files are constantly on the move — between endpoints, to and from the cloud, on and off the network. This shift has proven a boon to fintech companies: accelerating productivity, collaboration, innovation, speed to market — it’s clear we are never going back to the old way of working.
But these new ways of working are also accelerating insider risk. Research from spring 2021 showed that employees are a whopping 85% more likely to take or leak files and data than they were before the pandemic, and most IT security leaders expect these insider risks to continue to increase over the next two years. To add further fuel to the fire, the so-called Great Resignation is driving more people to look for their next career move — the single greatest risk factor for insider data theft.
What’s At Risk: IP, Trade Secrets, Competitive Advantage
Insider risk typically conjures thoughts of employees colluding with external actors to take, sell and/or use customer account information. The biggest growth in insider risk has nothing to do with customer data or PII: An Aberdeen Group report showed that 1 in 4 insider data breaches involved intellectual property (IP). Employees are taking source code to fintech apps; leaking go-to-market strategies and sales plans; and bringing sensitive financial information and key investor contact lists to competitors. This is your secret sauce, your crown jewels, the stuff that gives your company its competitive advantage in an intense market.
It’s Not the Bad Apples — It’s The Go-Getters
Insider risk tends to get labeled as either unintentional or malicious. The reality is that it’s almost all intentional — and very little is truly malicious. Roughly half of insider risk to your most valuable data stems from employees just trying to find smarter, faster, better ways of working. These are your most productive, innovative employees, moving valuable files in new ways that end up exposing them to risk. Company policies won’t stop this — and you don’t want to limit employee ingenuity, anyway.
The rest of insider risk is very intentional. But malicious isn’t always the right word; it’s often simply self-interested. The most common scenario is an employee making their next career move, taking files and information that can help them land — and thrive in — their next gig. Sometimes it’s IP they’ve worked on and feel entitled to — other times it’s just opportunistic. And while there’s always been a lot of movement of personnel within the fintech sector — from leadership to developers and coders to salespeople — the Great Resignation and unique labor market of 2021 is accelerating that movement and acutely increasing this insider data risk.
Speed & Agility Shouldn’t Be Pitted Against Data Protection
More and more fintech companies are recognizing increasing insider risk and starting to prioritize insider risk management. The problem is they’re falling into conventional data security paradigms that say protecting data means locking down data movement — an old way of thinking that not only doesn’t work, but also ends up stifling the innovation they’re trying to protect. That’s because conventional data security tools that fintech companies are familiar with — think DLP, CASB, etc. — were built to protect regulated data like transaction information and PII. This structured data is easy to recognize and easy to lock down. But these tools and this blocking approach just doesn’t work with the files and data that drive innovation in your business. To collaborate and move ideas and information forward, your employees need to be able to move, share, iterate and collaborate on files and data. This is how innovation happens — and this is how your innovation stays fresh and relevant.
The Formula for Managing Insider Risk Without Sacrificing Speed & Agility
Companies in the fast-moving fintech sector simply cannot afford to inhibit collaboration or slow down innovation and speed to market. But the truth is you don’t have to limit employee ingenuity — you just need to see it. The formula for managing insider risk starts with putting data security tools in place that focus on seeing all data movement — not just what you think you should look for; not just what you think is valuable. That broad and deep foundation of visibility gives you the real-time risk signal you need to see when and where your IP really is at risk — and the relevant context you need to investigate and respond quickly, before your IP falls into the wrong hands. This is a new data protection paradigm for our rapidly evolving world of cloud-powered work: It’s not about rigidly blocking insider threats; it’s about intelligently understanding and managing insider risk — so you can fully empower the collaboration, ingenuity and innovation of your people, while securing the value of the work they create.