By Stuart Facey, VP EMEA, Bomgar
Data breaches in financial services are unfortunately nothing new. They’re usually high profile, targeting the likes of likes of Wonga, Tesco Bank and Nationwide Building Society, and are typically the result of outside forces. While some place the blame for these breaches on legacy systems’ inability to cope with new forms of cyber attacks, or third party companies and vendors, the role of the insider is less considered.
New data from IBM’s X-Force Research found that human error is the biggest vulnerability to the financial services industry. It was found that insider involvement was the cause of 58% of breaches in 2016, with 53% either accidental or non-malicious and 5% a result of malicious intent.
It is clear from this research that there is not enough being done to protect financial services against insider data breaches and attacks, and Bomgar’s 2017 Secure Access Threat Report also found that one in three (33%) IT professionals believe it is at least fairly likely that former employees still have access to their internal systems and accounts. This is leaving a staggering number of businesses open to similar threats if they don’t address the issues presented by insiders and opens the door to sizeable GDPR fines if they are not compliant ahead of the May 2018 deadline.
As such, the dangers that insiders present to the financial services industry, whether they are employees or contractors, shouldn’t be underestimated. Contractors, for example, are one of the biggest challenges when it comes to managing employee and insider access. On one hand they can save organisations money and provide flexibility, however by virtue of their function or role they must be granted privileged access to, and rights within, corporate systems. This flexibility and nature of the contractor role also puts businesses at increased risk, as they often have high-level access to internal networks. Contracts can also be terminated at short notice, potentially leaving a hole in an organisations’ security. In fact, nearly a third (28%) considered third parties outsourcing elements of work to sub-contractors to be one of the most significant risks to network security.
The use of legacy systems is also still prevalent and adds another layer of complexity. The financial services industry continues to be plagued with problems caused by legacy systems, leaving it open as a key target for cyber-attacks due to the ease with which systems can be seemingly infiltrated.
A lack of stringent policies is also a hindrance in ensuring that systems remain secure at all times, with just over a half (56%) of organisations saying they have a written policy on their intranet, and only a third (36 %) having carried out an external assessment. This inconsistency in maintaining policies is worrying and should be a key concern for all financial services organisations. For example, research by the U.S. CERT Insider Threat Center showed that illegal activity on networks involving insiders typically happened within 30 days of them announcing their resignation. It is therefore imperative for employers to develop policies and procedures for both on and off-boarding employees that are directed at minimising the risks of data leakage.
Further to this, Verizon found that 63% of data breaches in 2016 involved weak, default or stolen passwords. With this in mind, businesses need to focus on preventing these weaknesses.
There are several core steps that organisations can take to securely manage credentials and control who can access their IT infrastructure:
- First, verify that employees and third-party vendors are who they say they are when requesting access to networks. Once confirmed, centrally manage all privileged accounts using an enterprise password vault so no passwords need to be written down, shared or stored in different places. A central vault also allows for organisations’ security and identity policies to be integrated.
- Next, use a credential injection solution, enabling users to authenticate or elevate privileges to remote devices and systems, granting access without revealing plain text credentials and passwords, which are commonly phished. Using a solution like this means that no passwords are ever seen by the user and they can gain secure, instant access to the systems they need. In conjunction with credential injection, a privileged access or privileged session tool allows organisations to control what people can access and when.
- Finally, ensure that all access sessions are recorded. If a breach occurs, it is immediately traceable to an entry-point and provides a full understanding as to what may have been compromised. With GDPR regulations requiring organisations to quickly notify their relevant regulator, customers and employees who have been impacted by any data breach, auditability is paramount.
In order to protect sensitive data for all its customers, the financial services industry needs to take a closer look at the insider threats posed by their employees and ensure all steps are being taken to protect data from all touch points. To do this, businesses need to look at employee education as well as implementing a range of ‘best-in-breed’ tools as part of a robust security eco-system.
While the financial services industry remains one of the biggest targets for hackers, if the above steps are taken to address the threats from within, we should start to see a drastic reduction in the volume of breaches overall. GDPR is a big priority not only for financial services, but for all businesses, and while privileged access and identity management may not be a stand-alone solution for overall security and GDPR compliance, it can address some of the main causes of data breaches.