By Jens Puhle, UK Managing Director of access rights management specialist 8MAN
2015 may have seen an increasingly broad variety of organisations hit by cyber attacks, but financial organisations remain the most at risk of data breaches, with their wealth of client data providing the biggest payday for fraudsters and other criminals.
A powerful example came last month when three men were charged for the biggest data theft from US financial institutions in history. The attack saw the details of more than 83 million people stolen from 14 major financial organisations, including JPMorgan. The data was then apparently used by the trio to manipulate stock markets by sending false stock tips to stolen email addresses.
With the extant threat to their data so high, financial organisations based in or trading within the EU are set to face even greater scrutiny on their ability to keep their customers safe from fraud.
The EU Data Protection Regulation currently being drafted is now set to include even stricter punishments for major security failures, with large organisations who fall short potentially being hit with fines of up to four per cent of their entire global turnover. All organisations that handle large amounts of customer data will be impacted by the new rules, making financial firms one of the most at risk, with fines running into the billions if they are judged not to have done enough to prevent a leak.
Alongside this, the European Commission is drafting new legislation aimed at improving both cooperation on cyber protection between member states, and the individual security capabilities of organisations based or trading in Europe. Essential services such as banks are among those that will be required to take extra measures in defending their data, as well as reporting breaches to the national authorities.
Data breaches have become such a serious issue that a report from PwC found that 90 per cent of all large organisations have been hacked in the last 12 months. However, while external attacks from hacking groups have gained the most media attention in recent times, companies must not overlook the threat from within. 81 per cent of companies reporting a breach told PwC that their own staff were involved in causing it, whether maliciously or by accident.
A powerful example in finance came in January 2015, when an employee at Morgan Stanley stole the data of more than 730,000 customers, including 350,000 wealth managers. The insider, who was later fired and then arrested for the breach, copied addresses, account numbers, investment information and other data to his home computer while apparently in talks with competitors for a job. Details from 900 customers ended up posted online, although Morgan Stanley asserts that none lost money.
Not all customers – or organisations – get off so lightly however. Insider data theft cost Bank of America more than $10m in 2011, after an employee passed on customer records to a fraud ring. The gang used the data to commit identify theft against hundreds of people, costing one victim as much as $20,000.
The extremely high value of customer financial data means the financial sector is particularly at risk from both external hackers and internal threats, and they cannot afford to take the threat lightly. Alongside the threat of data leaks, strong access rights management is also a vital factor in complying with the PCI Data Security Standard version 3.0/3.1 (PCI DSS).
The standard applies to all organisations processing, storing or transmitting cardholder data, and covers both external security and internal practices. Implementing a strong access rights management policy is one of the main objectives of the standard, with compliance dependent on the ability to restrict access to cardholder data on a need-to-know basis and assigning a unique ID to each person with computer access. Tracking and monitoring all access to network resources is also required, along with regular testing for security processes.
Despite this however, surprisingly large organisations still have little idea who is able to access vital assets such as customer financial data and intellectual property, leaving them wide open for an internal data breach. Breaches from insiders are both potentially more damaging and much harder to detect without the proper resources.
Contributing to this risk is the fact that it’s very common for new staff to be given much wider access to data than they need to, and we often see firms setting up new users as administrators with full access because it’s faster and easier. Best practice should always be for all new users to only be given as much access as required for their roles, as the fewer people that can access sensitive data, the less likely it is to be accidentally leaked.
Because of the way the native Windows Active Directory system works, many system administrators find proper due diligence in managing access management for every new starter to be too time-consuming, especially if they have large numbers of staff joining at once due to a merger or large project.
Insider leaks can be particularly difficult to guard against because the perpetrator is usually legitimately cleared for access as part of their job role. To address this challenge, firms should ensure they have systems in place that will alert them whenever certain files or folders are accessed. In addition, more advanced access rights management systems can send real time alerts specifically for when information is accessed outside of usual parameters, preventing data from being copied unobserved from remote locations out of office hours.
By equipping themselves with the right technology and putting strong internal policies in place, financial firms can keep their customers’ data as safe as possible, avoiding the increasingly unmanageable cost of a data breach.