What are finance organizations doing to secure network access and the data within?
Having on-boarded employees, and deployed security training to address awareness and education, you should have addressed the human elements of an approach to security.
These are key steps. However, as humans are (unfortunately) fallible, it is far from all that is necessary to make your financial organization secure or indeed compliant. Technology is also necessary to fill the gaps, minimise the risks of human error and decrease the surface area vulnerable to attack.
Technology can assist in implementing restrictions to the sensitive data on your network, and there are multiple levels at which this must (or should) be addressed.
Unique user logins
The essential starting point for deploying technology with relation to user security is to establish unique user logins. To employ restrictions at any other level, individual users must be identifiable, and this is only possible by ensuring their network access is via a login. Furthermore, this login must be unique to the user, and not shared.
This is a specific requirement of virtually all regulations around security, and is the case with GLBA, SOX, PCI DSS and the FCA.
Despite this being a bare basic requirement, nearly a quarter (24%) of finance workers in the US and UK do not have a user login to access their employer’s network. A third (33%) do not have a unique username and password for access, suggesting that 9% do log in, but using shared details — which is virtually as insecure as not having logins at all.
Logoff and on procedure
Beyond the basics of actually having a login, there are further levels where human fallibility must be addressed. One of these is not relying on the user to remember to logoff themselves. We know what it’s like at the end of the day, you’re in a hurry to get home so just get up from your desk and rush out of the door without remembering to log out of the network, leaving access open to any passers by.
This is why automatic timed forced logoff procedure is important, halting network access after a set period of inactivity to reduce the risk of individuals getting access where they shouldn’t.
It’s a requirement of GLBA, but is also general good practice. However, only 36% of finance workers are automatically logged off of their workstations after a period of inactivity. This is significantly higher in the US (48%) than in the UK (25%).
Another aspect to this concerns concurrent logins, in other words when employees do not log off from a machine and then go to another and log in there. Having users logged in in multiple places at once significantly obfuscates your ability to identify them. However, just 33% of finance workers are unable to log in to multiple machines at once using their credentials.
Location and time restrictions
A further way to reduce vulnerable surface attack is to limit when and where employees can access the network. For instance, restricting access to certain files and folders for specific departments, or within specific business hours.
This is a common requirement in the world of finance, where barriers to potential insider trading necessitate a ‘Chinese wall’ approach to data, halting entire parts of a business from accessing sensitive information.
However, just 30% of our survey base have their access to certain files and folders limited to set locations. Fewer still have access limited based on time — just 15%.
Ultimately, all of these restrictions are aimed at making all actions on the network attributable to a specific individual. This is the foundation of user security compliance, but just 40% of finance workers feel that all their actions on their employer’s network are attributable to them. This is a worrying statistic because workers who feel that their actions won’t come back to haunt them may be more inclined to be careless or even steal data.
There is little point in being able to identify users if no monitoring is in place to keep track of their actions. However, just 44% of finance workers are aware of their organization monitoring or tracking their access to the network. As with the wider question about attribution, the reality of monitoring may be higher, but there is nothing to lose by being transparent about monitoring. The aim here is not to trick or catch people out, and by telling employees that you are monitoring their actions, you will discourage bad or reckless behaviour.