Financial services data volumes heighten risk of insider breach

The average employee of a financial services firm has unrestricted freedom to view, copy, move and change data contained in 10 million files, while 64% of financial organisations have more than 1,000 sensitive files open to every employee, in a concerning indictment of the state of insider threat preparedness in the sector.

This is one of a number of key findings contained in a newly published report compiled for Varonis, which also found security gaps around non-expiring passwords, found at 59% of organisations, and stale data reservoirs.

In the 2021 Financial services data risk report, Varonis said the financial services industry’s rapid transition to remote working at the onset of the Covid-19 pandemic had increased the risk of insider breach, with many organisations having mobilised remote workers in double time without locking down exposed data to mitigate the risk of remote logons.

This “exponentially” increases the risk posed not just by insiders, but from malware and ransomware attacks, and is leaving the financial services industry exposed to non-compliance actions under data protection regulations, such as the General Data Protection Regulation (GDPR).

“Financial services finds itself in the strange situation of being one of the most improved in terms of security maturity, but still at incredibly high risk comparatively,” wrote the report’s authors. “It remains one of the most targeted industries by malicious attacks, due in large part to the sensitive data it collects from its customers. The average cost of a data breach is among the highest of any industry, at $5.85m.”

The report revealed that the average financial services worker has access to 13% of their employers’ total files. The number of exposed files rises as company size increases, with the very largest banking organisations having over 20 million accessible files, said Varonis.

So large are the volumes of data held that it is virtually impossible to fix things manually. On the basis that about 2% of exposed folders contain personally identifiable information (PII) and the average terabyte of storage contains 1.3 million files, with 20,000 folders per terabyte exposed to everybody, it would take a cyber security pro six to eight hours per folder to locate and manually fix global access rights.

The upshot of this is that relying purely on human effort, it could take years to remediate manually, and even longer if the security pros want to sleep, eat or use the bathroom – a clear argument for introducing some degree of automation.

Varonis also found that 21.4% of financial services organisations have over 1,500 passwords that did not expire, and 39.3% have more than 10,000 “stale” user accounts, giving malicious actors even more ways to compromise financial data without being detected.

“In 2020, financial services boasts the lowest average time to identify and contain a data breach – but remote work has the potential to significantly increase response time,” it said. “The longer incident response takes, the higher the cost of the data breach is likely to be. The importance of complete visibility into network environments and fully deployed security automation cannot be overstated.

“As financial services take to remote work via [Microsoft] Office 365, having guardrails in place to enforce controls and manage the increased risk is taking priority. Proving regulatory compliance in this environment can be tricky, so clear audit trails and reporting mechanisms are must-haves.”