sb-eu logo
Story image

Financial firms exposing data through mismanaged access controls - Varonis

20 Nov 2020

Varonis’ 2021 Financial Services Data Risk Report estimates that the financial services industry stands to feel the heaviest financial losses from data breaches, estimated to be around US$5.85 million per breach.

The report, which analysed four billion files across 56 financial services organisations, found that, on average, employees have access to almost 11 million files - and in larger firms, this number can almost double to 20 million.

Access issues become more apparent as research delves further into the enterprise - almost two-thirds of the analysed firms leave more than 1000 sensitive files open for every employee to access.

“This puts them at risk of non-compliance with regulations like the EU General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX) and California Consumer Privacy Act (CCPA) — which all require strict controls on sensitive information. Violators could face prison and (in the case of GDPR) up to €20 million or 4% of global revenues in fines,” the report notes.

Organisations also leave 20,000 exposed folders per terabyte of data. Varonis says that IT professionals typically take 6-8 hours to find a folder and manually lock it down, which means it could take up to 15 years to fix every folder - that that’s assuming no new folders are made, and the IT team never sleeps.

The report directs some of the blame to the pandemic this year due to organisations’ quick shift to work-from-home policies, without putting the proper cybersecurity groundwork down first.

“The abrupt nature of this transition forced many companies to step into the cloud without proper cybersecurity preparedness, inadvertently increasing their attack surface as employees logged in through unsecured networks and home computers. The risk increases exponentially when companies have obvious gaps like passwords that never expire and folders containing sensitive data open to every employee,” the report says.

The report also found that 41% of companies have fewer than 500 passwords that have no expiry date, however, 31% have between 500-1500, and 21% have more than 1500.

It’s a similar story for ‘ghost users’ - active, but stale accounts. 35% have fewer than 1000 ghost users, however, 25% have between 1000-10,000 and 39% have more than 10,000 ghost users.

“These, along with stale user account groups and privileged users with passwords that never expire, give hackers a window through which they can steal data or cause disruption without being detected, ” the report states.
According to an IBM Cost of a Data Breach report, financial services take an average of 233 days to detect and contain a data breach, meaning that the industry average resolution time is eight months.

The report suggests that there must be safeguards to enforce controls and manage increased risk. Clear audit trails and reporting mechanisms are essential for compliance.

Story image
New CompTIA cybersecurity skills certification available worldwide
Private sector business and defense organisations alike rely on CompTIA Security+ to build cybersecurity skills among their frontline cyber defenders.More
Story image
IDC names ESET a Major Player second year running
“ESET is strong in the areas of threat research, especially around Android malware identification and behavior detection.”More
Story image
With cyber-threats continuing to evolve, organisations need to remain in the fight in 2021
Teams can make improvements in 2021 by having a more comprehensive understanding of the threats that are out there and defining how they conduct operations to offer flexibility to adapt better.More
Story image
Palo Alto Networks launches enterprise data loss prevention service
"As a single centralised cloud service, Palo Alto Networks Enterprise DLP can be deployed across an entire large enterprise in minutes with no need for additional infrastructure."More
Story image
Video: 10 Minute IT Jams - SonicWall VP on the benefits of Boundless Cybersecurity
Today's interviewee will discuss the ins and outs of the company's Boundless Cybersecurity solution and how it can help APAC organisations adjust to the new normal, as well as explaining the 'cybersecurity business gap'.More
Story image
DDoS attacks surge, becoming more sophisticated
After doubling from Q1 to Q2, the total number of network layer attacks observed in Q3 doubled again — resulting in a 4x increase in number compared to the pre-COVID levels in the first quarter. More