The 2021 Varonis Data Risk Report focuses on the Financial Industry - banking, insurance & investments. As you would expect, this sector is highly regulated and generally thought to be one of the leaders in information security best practise. 

The threat landscape changed this year with unprecedented levels of staff using different technologies to connect to their place of work. This has meant in some cases, that companies were forced to step into the cloud without proper cyber security preparedness. So, what were the new threats introduced in 2020 and how do we close the gap?

The report highlights that the main areas of concern are poor Active Directory hygiene, with a large percentage of companies allowing users to have non expiring passwords. Another trend identified was poor implementation of role based access controls, with staff in the majority of companies surveyed, being granted unrestricted access to millions of company files. If these files contain sensitive data, these two vulnerabilities combine to form a significant threat to any business. Poor access control, often with ghost users (inactive but live accounts) that exist on systems with little or no segregation of duties seems to be a recipe for disaster. Couple that with home working, sometimes from a device with no basic security framework in place, and things look even worse.

As the Finance industry has been working with data security standards since they were invented (indeed some of the best standards come out of this industry), there is often a false sense of security. Even in this industry, the average time to identify and respond to a data breach is 233 days, which is enough time for an attacker to wreak havoc. Coupled with the fact that the financial penalties for losing data in the industry are the highest of all, this is a wake up call for ISO's to instigate more regular reviews. It also serves as a timely reminder for us all that whilst working from home might be the 'new norm', there are also some new threats that need to be mitigated.

The take away thought from this report is to ensure that access control systems are managed properly, which includes regular reviews of users privileges and account settings. Disable those inactive accounts, and set stronger passwords which expire. Use multi factor authentication for all access into company systems and improve system monitoring and incident response procedures.

3B are adept at running incident management workshops using our experience in dealing with live incidents and data security compliance programs. If you think you are in need of a security review, we are only a phone call away.