NEW YORK – As new reports of major cyber attacks surface every day, a new BlackBerry study has found that most financial organizations are focusing their cyber security efforts in the wrong place.
The report, titled “File Sharing and Collaboration Leads to Security Gaps in Financial Services Firms,” showed that only a quarter (26 per cent) of respondents reported a breach that was caused by an external attack, while the majority admitted that data breaches started due to internal errors.
Approximately 17 per cent of respondents attributed organizational data breaches to disgruntled or former employees who obtained and distributed sensitive information to unauthorized parties (17 per cent), while another 18 per cent said they were breached because of lost, stolen, or unsecured devices. Another quarter pointed to simple mistakes like sharing sensitive files as the cause of data breaches.
The use of personal email and file-sharing accounts on work devices, or the use of personal software or devices for corporate business, was also flagged as a concern when it comes to the cause of data breaches.
“The results that most data breaches of financial services companies occur because of internal reasons are pretty surprising, given that organizations focus the majority of their cyber security intelligence and budgets on fixing external vulnerabilities and stopping outside hackers who want access to their data,” Alex Manea, chief security officer at BlackBerry, told ITBusiness.ca. “Not as much funds are going to educating employees on the dangers of threats like email phishing campaigns or not using two-factor authentication, so this survey really highlights that many businesses may be missing the mark.”
The report, which surveyed 200 US-based IT professionals in the financial services industry, also confirmed that a confidence gap exists between IT professionals and their ability to meet regulatory requirements for securing unstructured data, including emails, PDFs, and other business documents.
One third of respondents pointed out that they were only “somewhat confident” or “not at all confident” about their ability to meet regulatory requirements for securing data, despite having company policies in place. More importantly, however, was that about 65 per cent of people were unsure of whether their business protocols around collaboration and file sharing met regulatory requirements at all. Additionally, over one third of respondents said that their organization has employees using file-sharing applications not approved by IT, which is a significant exposure to risk.
“Some of the most confidential corporate information is stored and shared in documents, spreadsheets and presentations. If you don’t have an effective way to protect these files across all endpoints, both inside and outside of your network, then you have a big gap in your security strategy,” Manea elaborated in a Nov. 14 press release. “All it takes is for one user to type the wrong name or attach the wrong files in an email exchange, and you have a potentially massive breach to clean up.”
However, in a digital world, virtual collaboration between employees internally and with partners externally is necessary for a functioning business. Manea explained that the security industry must do better in marketing its products and services as business enablers, not as something that gets in the way of business processes.
“The challenge with security is that it’s seen in the tech industry as necessary, but also something that is costly and not user-friendly. But security is a business enabler, and if it’s getting in the way of someone doing his or her job, we need to do better. We need to deploy technology that’s easy to work with,” Manea said.