Despite massive security expenditure, the shift to home working has left financial services companies exposed with poorly managed passwords and unmanaged file systems that give every employee access to an average of nearly 11m files.
Around 60 per cent of companies have at least 500 passwords that never expire, according to the Varonis 2021 Financial Services Data Risk Report, which examined the security protections around 4 billion files at 56 financial institutions.
Despite efforts to repel cybercriminals for whom financial data is a bonanza – one recent study found ‘Best Australian financial data’ for sale on the dark web for over $80,000 – analysts warned that banks are creating inadvertent risks by providing employees with too much access to too much data.
Non-expiring passwords, for example, create vulnerabilities because their long shelf life means they may be compromised and exploited without anybody noticing.
At 39 per cent of the companies inspected, more than 10,000 stale user accounts – old temporary accounts, for example, or accounts belonging to former employees – had created doors through which cybercriminals could enter undetected.
By using those accounts to gain seemingly-legitimate access to millions of data files, Varonis warned, attackers can lurk on networks undetected.
Throw in the tumult of 2020’s rapid transition to remote working and the lack of control this caused, the analysis warned, and financial-services companies face a major security issue.
“The abrupt nature of this transition forced many companies to step into the cloud without proper cybersecurity preparedness,” the report’s authors note, “inadvertently increasing their attack surface as employees logged in through unsecured networks and home computers.”
Those unsecured networks posed a clear and present danger to financial services organisations that, the analysis found, have approximately 20,000 exposed folders – those whose files are available to all users within the company – per terabyte of data.
This translated into an average 10.7m files open to everyone per organisation, with 36,000 of those classified as ‘sensitive’ files whose contents are meant to be protected – and could trigger governance breaches if compromised.
“The risk,” the report notes, “increases exponentially when companies have obvious gaps like passwords that never expire and folders containing sensitive data open to every employee.”
The cloud’s nebulous data protections
The findings highlight the risk that companies have inadvertently assumed as they rush to empower employees with the flexibility and access of cloud-based services like Microsoft 365 and Google Workspace.
NAB, for one, tripled its cybersecurity spend last year but security specialists have long warned about poor security oversight that could leave cloud-based data exposed – as recently happened when a Ukrainian security consultant found images of over 54,000 NSW driver’s licenses stored in a misconfigured cloud service.
As companies standardise on cloud-based productivity suites, increasing volumes of confidential data will make them ever more appealing to cybercriminals.
Nearly 20 per cent of files contain sensitive employee and customer data, Varonis found – translating to millions of potentially compromised data files per financial-services firm.
By 2023, Gartner has predicted, over half of cybersecurity incidents will be attributable to poor management of identities, system access and privileged accounts.
Board members should take note, given that now-active APRA CPS234 regulations threaten severe penalties for financial-services firms executives that fail to implement adequate cybersecurity controls.
Without addressing the poor account-management practices, those executives could end up in the firing line despite their best intentions.
“Financial services finds itself in the strange situation of being one of the most improved in terms of security maturity,” the report noted, “but still at incredibly high risk comparatively.
“As financial services take to remote work via Office 365, having guardrails in place to enforce controls and manage the increased risk is taking priority.”