Financial services access security compliance

Detailing the risks of insider threat in the financial sector is arguably easier than in any other. With huge volumes of sensitive financial and customer data, the threat of all kinds of fraud and insider trading, banks and other financial institutions have a lot to lose when it comes to user security.

The high risk explains why financial services is one of the most heavily regulated industries, with US laws like Sarbanes-Oxley (SOX) and The Gramm-Leach-Bliley Act (GLBA), the Financial Conduct Authority (FCA) regulatory body in the UK, and global compliance bodies, for example the Payment Card Industry (PCI) Security Standards Council.

This guide looks at some of these requirements using research among finance industry workers in the US and UK to see how compliant today’s organizations are — and provides a user security checklist to help you with your compliance strategy.

There are several regulatory bodies in the US and UK and some even global such as the PCI DSS, that set standards and guidelines in collecting, accessing and safeguarding sensitive data. However, meeting only the minimum requirements of these standards allows risk for potential security breaches such as unauthorised access or data loss.

Financial organizations need to ensure that they are not only complying with regulations and meeting industry standards. They should ensure that the right security policies are in place to sufficiently protect data — both theirs and that of their customers. And unfortunately the results of the research uncovered in this guide indicate that for many organizations, that is not the case.

Hopefully the guidance given here will help your organization not to be one of them.

Financial organizations are, essentially, data based. They operate on the handling of sensitive financial and customer information. This data transitions between other organizations and customers across international boundaries on a constant basis.

The movement of data means there is always a risk of breach, and that risk can come from technology, but more often from human error. All it takes is an absent-minded employee sharing a password or deciding to use the intel to which they shouldn’t have access to do something illegal.

The risks are great and the penalties for breaches are severe. Fines for non-compliance or breaches of standards like PCI Data Security Standard (DSS) or GLBA can be up to $100,000.

In data security we often talk of information being distributed on a ‘need-to-know’ basis — an informal way of putting what all the regulations in this guide (SOX, GLBA, the FCA and PCI DSS) require. That everyone in an organization has the level of data access that is necessary for their role, and no more.

This significantly reduces the risks from human error, and it’s a view on data access that can clarify your approach. But while it might sound simple in theory, implementing it in practice may not be.

To limit data to the necessity of each individual’s role, you need to be able to identify each individual.

Having unique user identification in place is another requirement of all the regulations we’re looking at, and it is the foundation of all good user security practice.

Unique user identification is just the foundation, however. Best practices filter down to a much more granular level. As do the requirements of SOX, GLBA, the FCA and PCI DSS, but the requirements of each differ to suit different kinds of risks (for example, SOX for insider trading, PCI DSS for the protection of payment card data).

Also, some compliance requirements are often not as granular as they could be, because they need to apply to all kinds of financial companies, and be open for interpretation to some degree so they can be more broadly applicable.

It’s for this reason that the guidelines we will go into here are not a simple ‘minimum’ for your organization to achieve compliance. This report will go into more detail on best practice so your approach to access security goes beyond compliance and minimises risk.

On-boarding is essentially the process of inducting new employees at any level, and should include sharing tools and practices of working in ways that protect the organization and its clients’ information.

In the US, according to GLBA, finance organizations have to report on how they share information and safeguard sensitive data and have created online documents and tutorials to help organizations keep sensitive data secure. However, according to our research only 33% of financial personnel said that they received this training.

The FCA’s Financial crime: a guide for firms recommends that new employees should have access to training on financial crime risks — and new staff in customer-facing positions should receive financial crime training tailored to their role before being able to interact with customers. Which is why it was surprising to learn that 51% of workers we surveyed did not receive security training as part of their induction.

In addition to briefing new employees on information security procedures, the FCA states that firms must have in place up-to-date policies and procedures relating to risks of financial crime, which should be readily accessible, effective and understood by all relevant staff. Results of the survey showed that only 55% of UK financial professionals had formal agreements to security policies in their contract with 57% in the US.

Another step in the hiring and on-boarding process is conducting background checks on future employees. The FCA identifies background checks as good practice, especially if staff are in higher risk roles, taking on a temporary position or if employment agencies are used. Similarly, GLBA offers helpful guidelines to financial organizations that do background checks pre-hire. About two thirds (66%) in the UK and 39% in US were not aware if their organization does this.

To become compliant and keep data safe, you need to do more than have the right technology in place. User security, by its very nature, is human-based so technology should go hand in hand with effective training and business processes — with equal attention to all three. This section uncovers some shocking statistics from businesses on both side of the Atlantic that are not placing enough importance on the human aspect of security.

An engaging training programme is vital to security awareness and can significantly improve compliance.

PCI DSS in the UK places much more importance on training now than before. As of June 2015, Requirement 9.9 states organizations that handle cardholder data must “train personnel to be aware of suspicious activity” when conducting “periodic inspections of point-of-sale devices to detect tampering.” Before June 2015, training was not a specific requirement but was a form of “best practice”. On a wider training scale, organizations must implement a formal security awareness program to make all personnel aware of the importance of cardholder data security, according to Requirement 12.6.

Chapter 6.2 in the FCA’s Financial crime: a guide for firms, part 2 document has a section dedicated to training and awareness. It details areas of best practice including “innovative training and awareness campaigns”, “Simple, memorable and easily digestible guidance for staff on good data security practice” and “testing of staff understanding of data security policies on induction and once a year after that.”

In the US, the Safeguards Rule from GLBA requires organizations that deal with customer money to produce a written information security plan — of which employee management and training is a part. Companies should train employees to “take basic steps to maintain the security, confidentiality, and integrity of customer information, including not sharing or openly posting employee passwords in work areas, and reporting suspicious attempts to obtain customer information to designated personnel.”

Despite clear guidance from compliance requirements in the UK and US, organizations are still way behind an acceptable level of security education. Alarmingly, just 37% of UK organizations provide ongoing training sessions — and while organizations in the US fare a little better at 52%, customers would still rightly be worried by these results.

Tough reprimands for leaking or stealing information can obviously dissuade malicious activity, but many employees are unaware of what would happen to them if their employer caught them in the act. Just 48% of US and 30% of UK employees are aware that their company responds swiftly to suspicious activity on the network, and only 45% or US and 27% of UK employees are aware of the penalties their company would impose.

The 12th and final Requirement of PCI DSS is dedicated entirely to maintaining “a policy that addresses information security for all personnel.” Security policies and procedures must “clearly define information security responsibilities for all personnel” and organizations must “review their security policy at least annually.”

The FCA recommends that organizations perform regular internal audits that review data security covering “all relevant areas of the business including IT, HR, training and awareness, governance and third-party suppliers.”

The GLBA Safeguards Rule, which dictates what organizations do with regard to employee training, requires financial institutions “do a risk analysis on their current processes.”

SOX in the US places a great deal of importance on senior responsibility when it comes to security. Section 302 states that “signing officers (principal executive officers, principal executive finance officers or equivalent, so likely a CEO or CFO) are responsible for establishing and maintaining internal controls.” Section 404 states that companies must produce an annual internal control report that states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.

While the term “policies” or “procedures” can mean different things to different organizations, companies across the UK and US are still falling short of basic security checks that are applicable to all organizations.

Just 68% of those we surveyed in the US and 57% of those in the UK are even aware of the existence of a documented information security policy in their organization. Furthermore, just 44% of US and 26% of UK employees are aware that their company regularly produces security audit reports. These figures only report awareness, so the actual figures of whether companies do produce documented security policies or audits may be higher — but if that’s the case, then senior management isn’t communicating procedures with employees effectively, which is a worry in itself. Policy communication with everyone in an organization helps reinforce the importance of security and may even dissuade malicious activity from those who realise they may get caught.

With regard to responsibility for security, organizations could be accused of playing a game of hot potato. Just 53% of US and 34% of UK employees state that their company clearly defines roles and responsibilities, 56% in the US and 34% in the UK know who to report a security breach to, and, worryingly more, only 41% in the US and 25% in the UK believe that senior management takes responsibility of information security.

Having on-boarded employees, and deployed security training to address awareness and education, you should have addressed the human elements of an approach to security.

These are key steps. However, as humans are (unfortunately) fallible, it is far from all that is necessary to make your financial organization secure or indeed compliant. Technology is also necessary to fill the gaps, minimise the risks of human error and decrease the surface area vulnerable to attack.

Technology can assist in implementing restrictions to the sensitive data on your network, and there are multiple levels at which this must (or should) be addressed.

The essential starting point for deploying technology with relation to user security is to establish unique user logins. To employ restrictions at any other level, individual users must be identifiable, and this is only possible by ensuring their network access is via a login. Furthermore, this login must be unique to the user, and not shared.

This is a specific requirement of virtually all regulations around security, and is the case with GLBA, SOX, PCI DSS and the FCA.

Despite this being a bare basic requirement, nearly a quarter (24%) of finance workers in the US and UK do not have a user login to access their employer’s network. A third (33%) do not have a unique username and password for access, suggesting that 9% do log in, but using shared details — which is virtually as insecure as not having logins at all.

Beyond the basics of actually having a login, there are further levels where human fallibility must be addressed. One of these is not relying on the user to remember to logoff themselves. We know what it’s like at the end of the day, you’re in a hurry to get home so just get up from your desk and rush out of the door without remembering to log out of the network, leaving access open to any passers by.

This is why automatic timed forced logoff procedure is important, halting network access after a set period of inactivity to reduce the risk of individuals getting access where they shouldn’t.

It’s a requirement of GLBA, but is also general good practice. However, only 36% of finance workers are automatically logged off of their workstations after a period of inactivity. This is significantly higher in the US (48%) than in the UK (25%).

Another aspect to this concerns concurrent logins, in other words when employees do not log off from a machine and then go to another and log in there. Having users logged in in multiple places at once significantly obfuscates your ability to identify them. However, just 33% of finance workers are unable to log in to multiple machines at once using their credentials.

A further way to reduce vulnerable surface attack is to limit when and where employees can access the network. For instance, restricting access to certain files and folders for specific departments, or within specific business hours.

This is a common requirement in the world of finance, where barriers to potential insider trading necessitate a ‘Chinese wall’ approach to data, halting entire parts of a business from accessing sensitive information.

However, just 30% of our survey base have their access to certain files and folders limited to set locations. Fewer still have access limited based on time — just 15%.

Ultimately, all of these restrictions are aimed at making all actions on the network attributable to a specific individual. This is the foundation of user security compliance, but just 40% of finance workers feel that all their actions on their employer’s network are attributable to them. This is a worrying statistic because workers who feel that their actions won’t come back to haunt them may be more inclined to be careless or even steal data.

There is little point in being able to identify users if no monitoring is in place to keep track of their actions. However, just 44% of finance workers are aware of their organization monitoring or tracking their access to the network. As with the wider question about attribution, the reality of monitoring may be higher, but there is nothing to lose by being transparent about monitoring. The aim here is not to trick or catch people out, and by telling employees that you are monitoring their actions, you will discourage bad or reckless behaviour.

It is hard to imagine anything more important than data in the financial industry. The very reputation of financial organizations rests on their promise and their ability to protect customers’ personal and financial information. As well as setting up security protocols to protect the physical network itself, measures should be taken to ensure that sensitive data does not fall into the wrong hands, intentionally or otherwise.

From employee’s personal data to customers’ credit card and bank account numbers, protecting sensitive data should be top of the organizations’ security policies. In line with this, the US Federal Trade Authority (FTC) published Start with Security, a document on how organizations manage and monitor access to sensitive data. Our research shows us that 79% of finance personnel have access to payment card data and 29% have access to customer data.

In the UK, the FCA complies with the regulation the Data Protection Act on the use of personal data and the appropriate security arrangements to be in place to protect and manage rights to access this sensitive data. More than a third (37%) have access to payment card data with a lower number of 14% having access to customer data.

Not every employee needs unrestricted access to the network. Controls should be put in place to make sure that employees have the right access for them to do their work effectively. Both the FTC and FCA support the need for financial organizations to ensure that they have procedures in place to ensure that employees can only access information that they need to. Our research shows that 87% (US) and 83% (UK) think that they the data they have access to is necessary for their role. However, it was worrying to see that 17% (US) and 14% (UK) believe that they have a level of access that is greater than necessary.

A good start is to create access controls on networks that will prevent files from being accessed by unauthorised personnel. Then consider how to further protect sensitive data using secure passwords.

Once organizations have ensured that their users’ actions are identifiable the next step will be to monitor these actions. The research identified that only 34% (US) and a lower 20% (UK) are aware that their organization monitors access to files and folders. Some organizations may be monitoring employees file access activities without their knowledge, however, mostly this is done as a precaution to protect company data and minimise loss.

As an employee’s responsibilities shift when moving to a new position within a company, so to should their user rights to maintain a relevant and safe level of access. And when an employee leaves altogether, organizations must ensure that they sever access completely.

PCI DSS leaves no room for interpretation when it comes to different employee roles within an organization. Requirement 7.1 states “Limit access to system components and cardholder data to only those individuals whose job requires such access.” So when employees move roles, organizations must adjust access rights accordingly. And for exiting employees, Requirement 8.3.1 states that administrators must “revoke access for any terminated users” and ensure that “all physical authentication methods — such as, smart cards, tokens, etc. — have been returned or deactivated.”

The FSA’s factsheet is equally clear on employees who move roles: “It is good practice to consider whether staff who change roles retain access rights that they no longer need and to conduct regular reviews of individuals’ IT access rights.”

Despite the compliance requirements on moving employees being clearer in the UK, many British organizations are failing way short of American companies to address roles and privileges. Just 34% of UK and 61% of US organizations have the ability to set and manage temporary access rights. And when employees move within a company, just 27% of UK organizations review and adapt access rights, compared with 52% of US organizations.

The most worrying finding of all though is that 48% of UK organizations do not immediately revoke access rights when employees leave, compared with 32% in the US — leaving a massive window of opportunity for an ex-employee to steal sensitive information.

Indeed, those we surveyed were honest in their answers when we asked if they had access to their previous employer’s networks post employment. 35% of US employees and 9% of UK employees said yes. Just 40% of US and 67% of UK employees underwent a formal de-registration process before leaving.