The incidence of data breaches is mounting but organisations are increasingly struggling to identify what’s driving these attacks. Consulting firm PWC recently published research that provides food for thought on this subject. According to their data, the total number of security incidents globally has climbed to 42.8 million this year, an increase of 48% from 2013.

So IT security should be a top priority for business executives and IT managers in the financial services sector. Indeed, almost a third (27%) of financial services companies in Europe have reported 50 or more security incidents in the last 12 months. The cost of these is staggering, with 29% of these companies reporting financial losses of $10 million or more (Source: PwC Global State of Information Security Survey 2015). What’s also interesting about this research is that employees either willingly or unwittingly, seem to be the most frequent culprits of security incidents. More than a half of security breaches are said to be caused by current or former employees (44% and 28% respectively). Comparatively, the source of threat being attributed to hackers or competitors is significantly lower, standing at 26% and 20% respectively [1]. 

In addition, many incidents may be traced back to third parties with trusted access to networks and data, including current and former service providers, consultants, and contractors.

Faced with these issues, it is obvious that organisations need to foster a secure working culture. This is even more pressing when you consider how the demographics of the workforce are changing. New younger workers don’t necessarily have the same attitudes to privacy as older workers. Results of a survey we conducted earlier this year suggested a lack of awareness of basic data protection policies and worrying behaviours, such as inappropriately accessing sensitive personal information and sharing passwords with co-workers. For example, 30% of the 18-24 year old respondents would snoop on sensitive customer data at work, compared to only 12% of the 45-54 year old employees.

But the scale of the challenge is such that attempts to promote security awareness can be undermined unless there are robust mechanisms for access control and automatic enforcement of security standards and policies. And there continues to be shortfalls in capabilities to ensure better data governance and compliance.

While more than half of the surveyed companies revealed they have privileged user access solutions (55%) and use access control measures (62%), only 15% of security budgets go to privileged user access management and a mere 10% of the funding is allocated to secure access-control measures (Source: PwC Global State of Information Security Survey 2015). This is disproportionate to the actual level of breaches resulting from misuse of access by employees and contractors/suppliers.

In fact a survey conducted by Courion in November 2014 reinforces the reality that while IT Security executives are aware of access risk, their organisations may not be equipped to effectively remediate these access risks.

If businesses want to address this security gap, they need to strengthen their access risk management strategies that allow organisations to continuously enforce security policies and ensure compliance with regulatory standards. By having complete transparency into access privileges, businesses can ensure that only the right people can access certain resources, for only the right reasons.

[1] PwC Global State of Information Security Survey 2015