Study Finds New Employees Immediately Given Access to Millions of Files
A new report demonstrates that the size of the problem for financial services created by the COVID-related switch to remote working can only be solved by automation.
Data protection firm Varonis analyzed a dataset of 4 billion files in 56 financial services companies. It found that all new employees immediately had access to an average of 10 million files — which was nearer 20 million in the larger companies. This is a security issue in itself — but one that is made worse by the dramatic and forced switch to working from home by international pandemic lockdowns. All companies — not just financial services — were required to step into the cloud without adequate preparation.
“Mobilizing without proper security controls,” warns Varonis in its latest study on financial services, “exponentially increases the risk posed by insiders, malware, and ransomware attacks, and opens companies up to possible non-compliance with regulations such as SOX, GDPR, and PCI.”
Detailed analysis of the files available to staff working remotely or from home shows home workers have unrestricted freedom to view, copy, move and change data to almost 20% of all files containing sensitive employee and customer data. On average, Varonis finds that every financial services organization has approximately 20,000 folders exposed to every employee per terabyte of stored data.
“It takes IT professionals an estimated 6–8 hours per folder to locate and manually remove global access, meaning it would take years to remediate these folders manually,” says Varonis — something that is impossibly tedious and time-consuming without automation.
The current inadequately secured global access results in a series of threats to financial services organizations. A single successful phishing attack against an employee could result in a corporate compromise. According to the IBM Cost of a Data Breach Report 2020, “The average time to identify and contain a data breach, or the ‘breach lifecycle’, was 280 days in 2020.” This, warns Varonis, is ample time for adversaries to severely damage reputation, revenue and customer faith.
Ransomware is of course a major threat. In October 2020, a G7 advisory warned that the threat was increasing and possibly involved state actors. “The financial services sector has become an attractive target for ransomware attacks,” warned the G7, “and financial institutions have reported increased sophistication in malicious cyber-enabled attacks in recent months. Some prominent strains of ransomware have been linked to groups that are vulnerable to influence by state actors.”
The growth of ‘double extortion’ ransomware is not the only non-compliance threat faced by the financial services sector. The Varonis study found that more than 64% of the companies have more than 1,000 sensitive files open to every employee. This puts them at risk of non-compliance with regulations like the EU General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX) and California Consumer Privacy Act (CCPA) — which all require strict controls on sensitive information. Violators could face prison and (in the case of GDPR) up to €20 million in fines.
These threats are exacerbated by the common but rarely cured habit of poor password hygiene. Varonis found that 59% of financial services companies have over 500 passwords that never expire and 71% have folders with unresolved SIDs. Finding these vulnerabilities takes time and internal collaboration across teams — and again is best achieved through automation.
The stakes are high for the financial services industry. It is one of the most attacked sectors by both financial criminals and nation state actors, while the cost of a data breach is amongst the highest at an average of $5.8 million. “As financial services take to remote work via Office 365,” warns Varonis (PDF), “having guardrails in place to enforce controls and manage the increased risk is taking priority. Proving regulatory compliance in this environment can be tricky, so clear audit trails and reporting mechanisms are must-haves.”