Customers’ personal and financial data is being put at risk as many industry personnel are not assigned unique login and password details, new research has revealed. The ‘Financial services: access security compliance’ report by IS Decisions, security software provider, showed that 37% of finance personnel do not have unique user logins – a basic security requirement for enabling user identification – which also leaves financial organisations open to the threat of insider trading. Furthermore, 26% are not required to logon to their employer’s network at all in order to access data, despite it being a specific requirement of virtually all regulations around security, from the FCA to GLBA, SOX and PCI DSS.
The figures also showed that half (51%) of financial industry personnel did not receive training as part of their induction even though the FCA’s Financial crime: a guide for firms recommends that new employees should have access to training on financial crime risks. In addition to this, despite clear guidance from compliance requirements in the UK, only 37% of organisations provide ongoing training sessions to meet an acceptable level of security education.
The ability to log in to more than one machine at anyone time can also be a security risk in terms of tracking access and individual user identification, so it was alarming to note that 76% of finance personnel are able to login to multiple machines concurrently. In the event of a breach occurring, only 34% would know how to report it and an even lower 27% were aware of the penalties their company would impose for stealing or leaking sensitive data.
The study also showed that only 48% of organisations do not immediately revoke access rights when employees leave, leaving a window of opportunity for an ex-employee to steal sensitive information.
François Amigorena, CEO of IS Decisions commented, “Data, including card and customer information, is the lifeblood of any financial organisation. Security is the very reason we trust banks with our finances, while data access and ability to identify users is also key to combatting insider trading. As such, sensitive information should be restricted to only those who need it in order to minimise any risk of a breach or possible misuse. Identifying and implementing access control policies are requirements of the financial regulators, but it seems many UK financial organisations are not compliant with these security basics.”
The full report is available on the IS Decisions website.