What are finance organizations doing to ensure employees have only the necessary access to sensitive data?
It is hard to imagine anything more important than data in the financial industry. The very reputation of financial organizations rests on their promise and their ability to protect customers’ personal and financial information. As well as setting up security protocols to protect the physical network itself, measures should be taken to ensure that sensitive data does not fall into the wrong hands, intentionally or otherwise.
Having access to data
From employee’s personal data to customers’ credit card and bank account numbers, protecting sensitive data should be top of the organizations’ security policies. In line with this, the US Federal Trade Authority (FTC) published Start with Security, a document on how organizations manage and monitor access to sensitive data. Our research shows us that 79% of finance personnel have access to payment card data and 29% have access to customer data.
In the UK, the FCA complies with the regulation the Data Protection Act on the use of personal data and the appropriate security arrangements to be in place to protect and manage rights to access this sensitive data. More than a third (37%) have access to payment card data with a lower number of 14% having access to customer data.
Accessing only necessary information
Not every employee needs unrestricted access to the network. Controls should be put in place to make sure that employees have the right access for them to do their work effectively. Both the FTC and FCA support the need for financial organizations to ensure that they have procedures in place to ensure that employees can only access information that they need to. Our research shows that 87% (US) and 83% (UK) think that they the data they have access to is necessary for their role. However, it was worrying to see that 17% (US) and 14% (UK) believe that they have a level of access that is greater than necessary.
A good start is to create access controls on networks that will prevent files from being accessed by unauthorised personnel. Then consider how to further protect sensitive data using secure passwords.
Monitoring file access
Once organizations have ensured that their users’ actions are identifiable the next step will be to monitor these actions. The research identified that only 34% (US) and a lower 20% (UK) are aware that their organization monitors access to files and folders. Some organizations may be monitoring employees file access activities without their knowledge, however, mostly this is done as a precaution to protect company data and minimise loss.