Thales Blog

Sneak Peek – Financial Services And Insider Threats – The Good And The Bad

December 19, 2013

Andy Kicklighter Andy Kicklighter | Director of Product Marketing More About This Author >

Security ControlsSometime in the next week or so, Vormetric will be releasing analysis of Insider Threat survey results from financial services professionals. The report will analyze how the people and organizations in this segment protect sensitive data from both malicious insiders as well as attacks such as Advanced Persistent Threats (APTs) that typically compromise the credentials of insiders and then use them to mine data from enterprises over an extended period of time. Once available, you’ll find it posted here.

As you might expect, we found both good and bad news in the analysis. First, the good news:

  • Financial services firms have a strong focus on security process and controls.  Their adoption tends to be 20% or so higher in most categories than other types of organizations.
  • They also use more data-centric security technologies, employ fine-grained access controls more often, and monitor more diligently in order to identify threats. Once the perimeter has been penetrated, these areas represent the most effective defenses for offsetting these threats. In these areas, the adoption rate in financial services sector is 12-20%+ ahead of other sectors.
  • Automated threat remediation also ranks higher on their priority list, with many already adopting the technology.

Clearly, financial services firms are demonstrating real leadership in adopting security technologies to safeguard their valuable data.

Now, the bad news:

  • Financial services companies appear to be just as vulnerable and fearful as other organizations – by their own assessments, only 4% feel they are “not at all vulnerable," and a full 41% feel either "vulnerable" or "extremely vulnerable." From my personal viewpoint, this is cause for even greater concern about the safety of the many and varied financial accounts most of us have.
  • Even as they “lead the pack” with better data-centric security, they still have far to go. For example, nearly half of the respondents have not yet implemented fine-grained access controls or aligned asset classification with security controls and risks.
  • Organizations from all industries are increasing their security budgets and developing dedicated process and security controls to improve insider threat prevention, detection, and response. That said, as we see moves toward Big Data implementations, accelerated cloud adoption and business process outsourcing (BPO), it's pretty clear that a large percentage of financial services organizations are still "at risk" of having sensitive data compromised — and that means we all are at risk.