The new report shows that the scale of the problem for financial services as a result of the shift from VIDOC to teleworking can only be solved by automation.
The data protection company VARONIS analysed a dataset of 4 billion files in 56 financial service providers. It was found that all new employees had immediate access to an average of 10 million files, which is closer to 20 million in large companies. This is a security problem in itself – but it is exacerbated by the dramatic and forced transition to homeworking due to the localisation of international pandemics. All companies – not just financial service providers – had to enter the cloud without proper training.
Mobilization without adequate security controls, warns VARONIS in its latest financial services research, exponentially increases the risk of insiders, malware and ransom attacks and opens companies to possible regulatory violations such as SOX, GDPR and PCI.
A detailed analysis of the files accessible to employees working remotely or from home shows that up to 20% of all files containing confidential employee and customer data are accessible to domestic workers with unlimited freedom to view, copy, move and modify data. On average, VARONIS finds that in every financial services organization about 20,000 files per terabyte of stored data are opened for each employee.
According to Varonis, the IT staff needs about six to eight hours per file to manually find and delete the global access. This means that it will take years to restore these records manually, which would be inconceivable and time consuming without automation.
The current lack of global access poses a number of threats to financial service providers. A successful phishing attack on an employee can lead to a business compromise. According to the IBM report, the cost of a data breach in 2020, the average time to detect and locate a data breach or the life cycle of an infringement, was 280 days. This, warns Varonis, leaves enough time for the opponents to seriously damage the reputation, revenue and confidence of customers.
Of course, blackmail is a big threat. In October 2020, a G7 advisor warned that the threat was growing and that government actors could be involved. The financial services industry has become an attractive target for ransom attacks, warned the G7, and financial institutions have reported an increase in the complexity of malicious cyber attacks in recent months. Some remarkable forms of salvation have been associated with groups influenced by state structures.
The growing number of cases of double extortion is not the only risk of non-compliance by the financial services sector. The VARONIS survey showed that more than 64% of companies created more than 1,000 confidential files for each employee. This exposes them to the risk of non-compliance with regulations such as the EU General Data Protection Regulation (GDPR), the Sarbanes-Oxley Act (SOX) and the California Consumer Privacy Act (CCPA) – all of which require strict control of confidential information. Offenders are punishable by imprisonment and (in the case of GDPR) a fine of up to EUR 20 million.
These threats are exacerbated by a widespread, but rarely cured, habit of poor password hygiene. Varonis found that 59% of financial service providers have more than 500 passwords that never expire and 71% have records of unauthorized PIDs. Identifying these weaknesses takes time and internal collaboration between teams – and here again, automation is the best way to do it.
The rates for financial services are high. It is one of the most targeted sectors, both by financial criminals and by national government agencies, while the cost of data breaches is among the highest, averaging $5.8 million. With financial services going remote via Office 365, Varonis (PDF) warns that the presence of closures to ensure control and management of higher risks is a priority. Demonstrating compliance can be challenging in this environment and clear audit trails and reporting mechanisms are needed.
That’s what it looks like: Attack on the body: Financial Services
That’s what it looks like: Hosting of financial service providers 500,000 sensitive documents
That’s what it looks like: MasterCard, Ellie May SNGO to discuss the human problem.
That’s what it looks like: Audio warning for cyber warriors before they work from home
Kevin Townsend is a prominent member of SecurityWeek. He wrote about high-tech problems even before Microsoft was born. Over the past 15 years, he has specialized in information security and has published several thousand articles in dozens of different magazines, from The Times and Financial Times to modern and old computer magazines.
Kevin Townsend’s previous columns:
job openings by industry,number of jobs in the u.s. by year,jolts bls,bureau of labor statistics layoffs,jobs by region,how many jobs are available in the u.s. 2020