Matt Lock, Director of Sales Engineers, Varonis
The legal implementation of the General Data Protection Regulation (GDPR) is looming and with data volumes set to grow, it’s never been more important for the financial sector to take control of their data. However, a recent global report has found that 76% of IT decision makers in the financial services industry believe they will face serious challenges in achieving compliance with the EU GDPR by the May 2018 deadline.
Organisations are generating, saving and sending unstructured data at an unprecedented rate and, for many, the foundation of their security strategy is based on chasing down threats or building up perimeter defences. However, data breaches continue to happen, often because the security measures protecting the data itself are not in place. With new requirements for documenting IT procedures, performing risk assessments and toughening rules for breach notifications, organisations should already be preparing a framework for data protection and a roadmap for achieving compliance.
The fact is that, in many incidents involving the loss or theft of data, if basic data protections had been in place, many such breaches might have been avoided. With penalties for data breaches set to get much tougher next year, now is the time for organisations to get a handle on the data protection essentials.
Taking interest in who has access
Along with those financial organisations unprepared for the GDPR, only 66% of organisations have carried out a data impact assessment in the last 12 months. 33% have also confessed that the GDPR isn’t a priority for them, despite the threat of fines which could cost them up to 4% of global turnover or €20 million.
When data access isn’t managed or monitored, organisations are at far greater risk from cyber attacks and insider threats. Not only is it a security risk, but it also poses problems for any organisation that must comply with industry regulations – such as those in the financial sector. The issue is about gaining visibility and control; understanding where their sensitive information assets are located and enforcing the appropriate policies and security measures to control who is accessing them.
It’s also about ensuring employee access privileges are locked down by placing controls around who can access the company’s sensitive information. In many cases, data is ‘oversubscribed’ – meaning that too many people have access which isn’t tracked or analysed. The implications of this are significant – if an individual with global access rights was to be compromised by ransomware, all the data they can access would be encrypted.
Permissive access controls are a widespread problem. From our own 2017 Data Risk Report, we discovered that a significant proportion of users have much more access to data than they need to do their jobs. For example, 47% of organisations had at least 1,000 sensitive files open to every employee. The report also found that one banking institution discovered that 80% of its 245,575 sensitive files were accessible to every employee.
Access permissions can be set too broadly and this overly permissive data plays right into the hackers’ hands. We need access to data to do our jobs but ‘permission-creep’ sets in as IT and admin teams can’t keep up with the pace of internal changes. Access controls can fail to account for changes to workers’ current roles, or for acquisitions, mergers or other organisational re-structuring. Getting a grip on this data protection has never been more important.
Investing in controls
Managing data access and protection within the constraints of budgets and available manpower is often an issue, but it is possible to start taking control now. First, define where your data is and then you can examine user behaviour to determine how it flows through the organisation, along with how it’s used and who needs access to it. Then it’s about putting defences in place using a ‘least privilege’ model where only those who truly need the data to do their job can have access. There should also be policies and strategies in place to ensure data is disposed of once it’s no longer needed.
Data that is unmonitored and broadly accessible is a major security risk. There is a balance to be reached between data accessibility and its protection. The good news is that there are ways to automate the management of access rights and permissions to save time whilst improving efficiencies and reducing the burden on IT and admin teams. With the next cyber attack lying in wait and penalties for breaches about to get even tougher, getting on board with data protection and access controls should be at the top of the cyber security agenda.