Rising security risks in the banking sector and how to reduce your exposure

Mike Arrowsmith, Chief Trust Officer, NinjaOne

IT infrastructure and operations personnel (I&O) are fundamental to the smooth running of any financial institution. These teams manage everything from devices, servers, processes and networking, to storage, data, software, security and cloud-based services. Yet as businesses have transitioned from on-premise to remote and hybrid working practises, pressure has mounted, cybersecurity risks have been escalating, and many organisations have found it difficult to serve internal customers’ needs while still maintaining a firm grip on security. Delivering business strategy, accomplishing goals and protecting the business from the rising threat of security breaches are difficult objectives to reconcile

With device proliferation and a widely dispersed workforce, there comes the need for collaboration at a distance. Disparate SaaS applications, multi-cloud environments and a mix of company and personal devices are leaving the door open for attack. A decentralised approach to IT management just cannot keep up with the demands of a modern organisation.

To evaluate the extent of the threat, we surveyed 200 employees working in the finance and insurance industry. In the study, carried out in December 2021, we asked about attitudes to working from home, experiences with hybrid working models and the measures employers have implemented.

Device management and control issues

We found that only half of those surveyed were provided with company devices when working remotely. The other half were either asked to use personal devices for remote work (24%) or given the option to use either personal devices or devices provided by the company (26%).

This presents a significant security threat. When combined with the finding that more than one in four (26.5%) were also using unapproved software for work, and a similar percentage were using unapproved communication channels, a fundamental mindset shift is needed before it’s too late.

According to PurpleSec in their recent cyber security trends report, which surveyed 1,100 IT professionals, 90% had clients that have suffered ransomware attacks in the past year. The same report suggests that an organisation will fall victim to ransomware every 11 seconds.

This combination of device freedom and rising threat levels is creating a perfect storm, and many companies are showing security weaknesses in the management of mobile IT and new communication channels. NinjaOne’s study also shows that more than 30% of employees are responsible for managing communication channels, updates, IT security and bug fixes themselves or don’t know who to contact for this.

Hybrid working is here to stay

The lack of security education and support for remote workers wouldn’t be such a big issue if many employees were office based. However, none of our respondents told us that they work the classic five days each week in the office. What’s more, over 30% of respondents are working remotely every day. Another 30% are only in the office one or two days a week.

The overriding sentiment is that employees are happy with current hybrid and remote working arrangements. Just one in ten would prefer to return to five days in the office every week. More than a quarter (26.5% each) of respondents see working remotely five days a week as their preferred way to work, with the rest preferring a hybrid approach.

Security concerns aside, there are tangible performance benefits to a hybrid workforce. More than half the respondents told us they are more productive now, while only one in five feel they are less productive. So, once security issues are addressed, businesses will enjoy the financial benefits of a hybrid workforce while reducing risk.

Some security highlights, though more needs to be done

Despite some inertia, there has been a move towards improved data privacy and security policies to support hybrid work, though more has to be done. The most frequently cited measure was the implementation of new identity management software, such as multi-factor authentication, which was used by 43.5% of companies in the financial sector. The introduction of new security software and improving collaboration between IT and the rest of the company were also at the top of the agenda for around a third of the companies surveyed.

And more than four in every five companies have taken at least one measure to arm themselves against the growing threats. Nevertheless, there is still significant room for improvement. Individual measures all too often prove insufficient in practice, and it is advisable to combine several security concepts to create a unified approach.

It’s also vital to keep on top of compliance requirements and data protection directives like UK-GDPR. Even though there are proposed changes to Article 22 of the UK’s GDPR implementation, data sharing between the UK and the EU could be jeopardised if the UK strays too far from GDPR. As a result, regulations are unlikely to alter.

Security training has taken a back seat

However, many security measures are of little use if employees are not trained accordingly. More than 37% of financial services employees stated that they had either never received security training or that the last training had taken place more than six months ago.

Those who are not sufficiently trained in security issues can easily become a security risk. The human factor should not be neglected, because even without malicious intent, gaps are created by mistakes, carelessness and ignorance. Regular security training is one of the most effective security measures that you can implement.

Creating a secure future

As we progress through 2022 and businesses prepare for the future of work, it’s crucial to take action and ensure a secure future for your business. You can begin by arranging an IT security audit, asking your IT leadership team:

• To what extent have we invested in home-based IT to support hybrid work?
• Do we provide devices to all personnel when they work remotely?
• Does the IT department manage all communication channels used for work purposes?
• Does the IT department centrally manage all updates to software and devices?
• Does the company provide guidelines for data privacy and security?
• When was the last security training session?
• Which topics are covered in security training?

When charting a path towards tighter security protocols and a centralised approach to device management, it’s also worth considering a unified IT operations platform. This combines IT asset management, endpoint monitoring, patch management, backups, software deployment, service desk and much more, all in one easy-to-use platform. It will simplify your IT operations, making IT teams more efficient and users more productive, and allowing your business to forge ahead with more robust security procedures and protocols.