The number of data breaches in the financial, credit, and banking industries nearly doubled from 2014 to 2015, according to Identity Theft Resource Center’s 2015 Breach List. Despite this massive increase, most financial firms have been found to be overconfident in their ability to detect and stop data breaches.
A new study by security and compliance company Tripwire evaluated the confidence of IT professionals who work in the financial industry. In short, the IT pros were highly confident that they would quickly detect a data breach, but they were unsure how long it would take to remedy any problems. They did not know how long it would take to remove an unauthorized device from their network.
Overconfidence is the name of the game in the financial sector.
87% of the people surveyed believe their vulnerability scanners will alert them of all data breaches within minutes or hours. In reality only 75% said they discover 80% of breaches. And 3 out of 10 do not detect all attempts to gain unauthorized access to the network.
This indicates that many are doing the bare minimum in order to simply pass compliance standards. While it’s important to be compliant, this can leave gaping holes in the network that criminal hackers can take advantage of.
As Tripwire’s director of IT security and risk strategy put it, “Compliance and security are not the same thing. While many of these best practices are mandated by compliance standards, they are often implemented in a ‘check-the-box’ fashion. Addressing compliance alone may keep the auditor at bay, but it can also leave gaps that can allow criminals to gain a foothold in an organization.”
Other key findings from the study include:
- Only 37% of respondents say their automated detection tools are able to identify locations, departments, and other critical details about devices attempting to access the network without authorization.
- 29% said that they do not detect all attempts to access files without the appropriate privileges.
- 40% said that less than 80% of the security patches are successful in a typical patch cycle.
- 82% believe it takes less than a few hours to detect configuration changes to a network device but in reality, 59% are unsure of actually how long it takes.
- 45% of vulnerabilities are not fixed within 30 days.
Like we said, compliance is crucial - but it shouldn’t come at the expense of security, Tripwire’s senior security research engineer Travis Smith believes that IT professionals in the financial sector (and in every industry for that matter) should widen their focus and put some effort into identifying what is currently installed on their network.
“The path to a mature security deployment is through visibility because you cannot protect what you cannot see. Understanding what you have and how you can potentially be compromised will allow the security team to focus on where attackers are likely to strike. The cost of being proactive is always less than the cost of being reactive. That is why it’s important to follow best practices outlined by various security controls,” Smith stated.