30% of Financial Services Companies Put Customer Data at Risk
Our personal and financial data could be at risk because many finance industry professionals are not given unique login and password details, according to a financial services compliance report by IS Decisions.
The report showed 29% of personnel in the financial services industry do not have unique login credentials, which is a basic security requirement. In addition to endangering clients’ personal information, it also increases the threat of insider trading.
Additionally, 23% of employees are not required to logon to their employer’s network to access data, even though this is a requirement of nearly all regulations, including the Gramm–Leach–Bliley Act (GLBA), Sarbanes–Oxley Act (SOX) and the Payment Card Industry Data Security Standard (PCI DSS).
Even though GLBA and SOX require financial organizations to provide security training, one-third of financial industry personnel reported not receiving any training during their induction. Additionally, only 52% of organizations provide ongoing security education.
Other areas for concern include:
- 57% of financial services personnel can login to multiple machines, which creates a security risk in terms of tracking access and identifying individual users.
- If a breach does occur, only 56% of employees know how to report it, and only 45% know the penalties their company would impose for stealing or leaking sensitive data.
- When an employee leaves the company, 32% of organizations do not immediately revoke access rights, which gives the ex-employee the opportunity to steal sensitive information.
“Data, including card and customer information, is the lifeblood of any financial organization. Security is the very reason we trust banks with our finances, whilst data access and ability to identify users is also key to combatting insider trading,” said Francois Amigorena, CEO of IS Decisions. “As such, sensitive information should be restricted to only those who need it in order to minimise any risk of a breach or possible misuse. Identifying and implementing access control policies are requirements of the financial regulators, but it seems many U.S. financial organizations are not compliant with these security basics.”