Usage data for 3.7 million finance employees reveals exposure to compromised accounts has skyrocketed
Companies and their employees are rapidly bringing cloud services into the workplace, and financial services firms are no exception. McAfee (formerly Skyhigh Networks) recently revisited cloud usage trends within the financial services industry and found that in the last 12 months, the number of cloud services in use at these companies increased dramatically. The average financial services firm uses an impressive 1,004 distinct cloud services, which is 32.1% higher than this time last year. The analysis was performed for 3.7 million finance employees across over 14,000 cloud services.
What’s unique about this report is that it’s based on actual, anonymized usage data of employees at banks, insurance companies, credit unions, credit card companies, and investment funds, rather than on surveys that rely on people to accurately self-report their behavior. We analyzed the usage of both enterprise-grade cloud services that IT purchases for employees and also consumer-grade services that employees often sign-up for or purchase on their own. The fastest growing cloud service category in the finance industry is collaboration (e.g. Microsoft Office 365, Gmail, and Evernote). The average financial services firm uses 195 collaboration services, an increase of 43.4% in 12 months.
Considering that two of the top reasons why companies are migrating to cloud-based software are to improve mobile access to data and to improve collaboration, perhaps it’s not surprising that collaboration services are in such demand. Financial services firms are often at the cutting edge of using technology to improve their bottom line and the cloud can give them an edge over competitors. A Vanson Bourne study found that companies that moved to cloud-based software experienced 19.3% faster growth than those who didn’t. Financial services companies aren’t just standardizing on services such as Microsoft Office 354, Concur, Salesforce, and Cisco WebEx because they are the best cloud-based software options in their category, they’re the best options within their respective category period.
While financial services firms are racing to take advantage of the cost and productivity benefits of cloud services, their security initiatives may not be not keeping pace. Less than 1 in 10 cloud services financial services firms user are low-risk (i.e. they meet the stringent security and compliance requirements of the industry). In 12 months, the percentage of cloud services in use that are low-risk declined from 9.4% to 7.0%. This is troubling considering that finance firms handle highly sensitive data on behalf of their clients and these companies must meet strict regulatory requirements under GLBA and PCI DSS. Trust is also important to their business, and it can evaporate when customer data is compromised in a breach.
Even secure cloud services can pose a risk. A hacker can easily gain access to sensitive data stored in these services using an employee’s login credentials. Many stolen login credentials eventually make their way to the Darknet, where black market websites allow criminals to buy and sell drugs, weapons, and credit card numbers alongside stolen usernames and passwords. We found that a troubling 94.3% of financial services firms have at least one employee whose account credentials are for sale on the Darknet and the number of employees with at least one stolen credential increased 72.2% in the last 12 months.
Today, 15.5% of finance employees have a username and password combination for sale online, which is higher than the 11.2% average across all industries. It’s not uncommon for people to reuse their passwords in multiple places, and 10.3% of users rely on the same 20 highly unsecure passwords, increasing the risk of compromise. A study at the University of Cambridge found that 31% of people reuse the same password. That means that if a hacker acquires their Twitter password, they could also login to other cloud services. Security experts recommend you use long, complex, and unique passwords. While these passwords can be more difficult to remember, there are some helpful tricks to making these passwords memorable.
Employees can also use secure cloud services in risky ways. McAfee analyzed usage data and uncovered the incidence of insider threat incidents, such as a salesperson downloading sales contacts before leaving to join a competitor. We found the actual incidence of insider threats is much higher than what’s initially known by the IT security team at these companies. In our Cloud Adoption & Risk in Financial Services report we also detail the top 20 enterprise cloud services in finance, the top 20 consumer cloud services, and the top cloud services used by financial services companies to collaborate with business partners. Download a free copy today to get detailed findings on how the finance industry is leveraging the cloud.
About the Author
Categories: Cloud Security