Financial firms exposing data through mismanaged access controls - Varonis
Varonis' 2021 Financial Services Data Risk Report estimates that the financial services industry stands to feel the heaviest financial losses from data breaches, estimated to be around US$5.85 million per breach.
The report, which analysed four billion files across 56 financial services organisations, found that, on average, employees have access to almost 11 million files - and in larger firms, this number can almost double to 20 million.
Access issues become more apparent as research delves further into the enterprise - almost two-thirds of the analysed firms leave more than 1000 sensitive files open for every employee to access.
“This puts them at risk of non-compliance with regulations like the EU General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX) and California Consumer Privacy Act (CCPA) — which all require strict controls on sensitive information. Violators could face prison and (in the case of GDPR) up to €20 million or 4% of global revenues in fines,” the report notes.
Organisations also leave 20,000 exposed folders per terabyte of data. Varonis says that IT professionals typically take 6-8 hours to find a folder and manually lock it down, which means it could take up to 15 years to fix every folder - that that's assuming no new folders are made, and the IT team never sleeps.
The report directs some of the blame to the pandemic this year due to organisations' quick shift to work-from-home policies, without putting the proper cybersecurity groundwork down first.
“The abrupt nature of this transition forced many companies to step into the cloud without proper cybersecurity preparedness, inadvertently increasing their attack surface as employees logged in through unsecured networks and home computers. The risk increases exponentially when companies have obvious gaps like passwords that never expire and folders containing sensitive data open to every employee,” the report says.
The report also found that 41% of companies have fewer than 500 passwords that have no expiry date, however, 31% have between 500-1500, and 21% have more than 1500.
It's a similar story for ‘ghost users' - active, but stale accounts. 35% have fewer than 1000 ghost users, however, 25% have between 1000-10,000 and 39% have more than 10,000 ghost users.
“These, along with stale user account groups and privileged users with passwords that never expire, give hackers a window through which they can steal data or cause disruption without being detected, ” the report states.
According to an IBM Cost of a Data Breach report, financial services take an average of 233 days to detect and contain a data breach, meaning that the industry average resolution time is eight months.
The report suggests that there must be safeguards to enforce controls and manage increased risk. Clear audit trails and reporting mechanisms are essential for compliance.