sb-as logo
Story image

Financial firms exposing data through mismanaged access controls - Varonis

20 Nov 2020

Varonis’ 2021 Financial Services Data Risk Report estimates that the financial services industry stands to feel the heaviest financial losses from data breaches, estimated to be around US$5.85 million per breach.

The report, which analysed four billion files across 56 financial services organisations, found that, on average, employees have access to almost 11 million files - and in larger firms, this number can almost double to 20 million.

Access issues become more apparent as research delves further into the enterprise - almost two-thirds of the analysed firms leave more than 1000 sensitive files open for every employee to access.

“This puts them at risk of non-compliance with regulations like the EU General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX) and California Consumer Privacy Act (CCPA) — which all require strict controls on sensitive information. Violators could face prison and (in the case of GDPR) up to €20 million or 4% of global revenues in fines,” the report notes.

Organisations also leave 20,000 exposed folders per terabyte of data. Varonis says that IT professionals typically take 6-8 hours to find a folder and manually lock it down, which means it could take up to 15 years to fix every folder - that that’s assuming no new folders are made, and the IT team never sleeps.

The report directs some of the blame to the pandemic this year due to organisations’ quick shift to work-from-home policies, without putting the proper cybersecurity groundwork down first.

“The abrupt nature of this transition forced many companies to step into the cloud without proper cybersecurity preparedness, inadvertently increasing their attack surface as employees logged in through unsecured networks and home computers. The risk increases exponentially when companies have obvious gaps like passwords that never expire and folders containing sensitive data open to every employee,” the report says.

The report also found that 41% of companies have fewer than 500 passwords that have no expiry date, however, 31% have between 500-1500, and 21% have more than 1500.

It’s a similar story for ‘ghost users’ - active, but stale accounts. 35% have fewer than 1000 ghost users, however, 25% have between 1000-10,000 and 39% have more than 10,000 ghost users.

“These, along with stale user account groups and privileged users with passwords that never expire, give hackers a window through which they can steal data or cause disruption without being detected, ” the report states.
According to an IBM Cost of a Data Breach report, financial services take an average of 233 days to detect and contain a data breach, meaning that the industry average resolution time is eight months.

The report suggests that there must be safeguards to enforce controls and manage increased risk. Clear audit trails and reporting mechanisms are essential for compliance.

Story image
Ingram Micro becomes Thycotic's primary distributor in Singapore
As part of the partnership, Ingram Micro will leverage its position within the distribution sector and, its global infrastructure and its go-to-market (GTM) expertise, to deliver a joint GTM strategy in Singapore with Thycotic.More
Story image
How has COVID-19 transformed our perception of work?
Almost three quarters (74%) of people never want to return to pre-COVID-19, traditional work paradigms, putting more pressure on employees to adequately support and secure changing workplace environments.More
Story image
New CompTIA cybersecurity skills certification available worldwide
Private sector business and defense organisations alike rely on CompTIA Security+ to build cybersecurity skills among their frontline cyber defenders.More
Story image
With cyber-threats continuing to evolve, organisations need to remain in the fight in 2021
Teams can make improvements in 2021 by having a more comprehensive understanding of the threats that are out there and defining how they conduct operations to offer flexibility to adapt better.More
Story image
Trend Micro integrates with AWS Network Firewall
As a Launch Partner, Trend Micro has integrated managed threat intelligence feeds from its cloud security solution to enable superior protection in line with this new AWS managed firewall service.More
Story image
Frost & Sullivan: Firewalls to drive network security market
Enterprises’ heightened threats from criminal entities and state-sponsored actors are strongly encouraging them to adopt network security solutions.More