By Ryan van de Coolwijk, Product Head: Cyber at iTOO Special Risks
In line with regulatory requirements, financial services providers around the world are required to collect, store and process huge amounts of sensitive data relating to their customers as a means of trying to curb and prevent illegal activities such as money laundering and fraud.
A key finding in the Varonis 2021 Data Risk Report is that on average a financial services employee has access to nearly 11 million files the day they walk in the door. For large organisations, the number is double: 20 million files open to all employees. Additionally, nearly two-thirds of companies have 1 000-plus sensitive files open to every employee.
Considering the constant evolution of cyber threats in terms of both sophistication and frequency, the large volumes of data that employees have access to is becoming an increasingly big risk and concern for many organisations.
As a result, many enterprises – not only in financial services but across virtually all industry sectors – are having to look at how some of their traditional cybersecurity controls need to change, especially in light of the advent of hybrid and remote working environments, to remain robust enough in today’s threat landscape.
With remote and hybrid working, large portions of organisations’ employees no longer sit in the traditional network environment, working in the office from eight to five, five days a week and behind a firewall where their devices are very tightly controlled and secured.
Now staff work from home or other public locations, such as coffee shops, often connecting directly to the internet without going through the normal company firewall. This creates many potential security concerns around data compromise, from hacking to theft or loss of a device.
As such, the cybersecurity controls that organisations should be looking at to prevent a widespread loss of data in these instances include the access to data that is given to staff. Companies should determine whether all staff require as much access as they are given or whether the data can be segmented to provide more granular access, ensuring that employees only have access to the data they absolutely need.
We are Clear About Service
- Mobile Service: My Glass comes to you, offering convenient on-site solutions
- Versatility: Not just vehicle glass. My Glass also specializes in building glass repairs and replacements
- Custom claims management: Experience seamless incident reporting with My Glass Bordereau, our bespoke online claims management system
- Extensive stock: My Glass boasts the widest range of available stock, ensuring prompt service.
Secondly, introducing anonymity of data would ensure that people can work with less granular but more statistical data. Thus, in case of a breach, the data would not be specific to any identifiable individual.
A good strategy is to ensure that access to data is aligned to job responsibilities on an ongoing basis. While it might be a lot easier to give everyone access to everything and not worry about whether they have sufficient access, this does introduce significant security concerns and constraints.
Importantly, organisations should also consider how to control remote access to sensitive data that is in the employees’ possession. The Varonis report cites that about 60% of companies have more than 500 passwords that never expire and nearly 40% have more than 10 000 ghost users.
Management of user accounts and credentials is extremely important, as one of the most common causes of insurance claims is a compromise of user credentials, whether due to phishing attacks or simple passwords that are cracked. The risk posed by passwords that never expire is that they never change and will likely become known over time. On the other hand, ghost user accounts are risky because they could have been created for staff that have since left company but still have access to these accounts or because they had been set up for malicious purposes.
Hence, if companies do not keep close tabs and controls on the accounts and passwords within their environments, there is a much higher risk of them being used for malicious activities. Adding multifunction authentication is an effective control to protect simple passwords, specifically those used by staff working remotely. The benefit of this is even with a simple password that is cracked, a hacker would still have to guess the required code within the 30 seconds that it is valid for – this is practically impossible.
Lastly, a robust backup and recovery plan is key to mitigating the risks associated with data loss. A well-designed backup and recovery plan will allow an organisation to recover its data quickly and easily in the event of a loss, helping to minimise downtime and disruption to its business.