Finance organizations risk data by failing to secure unique employee logins

Get a copy of the upcoming book "Secure Operations Technology"

Customers’ personal and financial data is being put at risk as many industry personnel are not assigned unique login and password details, new research from IS Decisions has revealed.

29% of finance personnel do not have unique user logins – a basic security requirement for enabling user identification – which also leaves financial organizations open to the threat of insider trading.

23% are not required to logon to their employer’s network at all in order to access data, despite it being a specific requirement of virtually all regulations around security, from GLBA, SOX and PCI DSS.

The figures also showed that 33% of financial industry personnel did not receive training as part of their induction. This is despite financial industry regulations including GLBA and Sarbanes Oxley requiring financial organizations provide security training. Despite clear guidance from compliance requirements in the US, only 52% of organizations provide ongoing training sessions to meet an acceptable level of security education.

The ability to login to more than one machine at anyone time can also be a security risk in terms of tracking access and individual user identification, so it was alarming to note that 57% of finance personnel are able to login to multiple machines concurrently.

In the event of a breach occurring, only 56% would know how to report it and an even lower 45% were aware of the penalties their company would impose for stealing or leaking sensitive data.

The study also showed that only 32% of organizations do not immediately revoke access rights when employees leave, leaving a window of opportunity for an ex-employee to steal sensitive information.

Francois Amigorena, CEO of IS Decisions commented, “Data, including card and customer information, is the lifeblood of any financial organization. Security is the very reason we trust banks with our finances, whilst data access and ability to identify users is also key to combatting insider trading. As such, sensitive information should be restricted to only those who need it in order to minimise any risk of a breach or possible misuse. Identifying and implementing access control policies are requirements of the financial regulators, but it seems many US financial organizations are not compliant with these security basics.”