London, June 11th, 2015 – Access control innovator SecureAuth has warned that too many professional and financial service companies are leaving their IT security to chance after the company’s latest survey revealed organisations in the professional and financial service industry are trusting only one layer of defence to protect their assets. The reliance on single-factor authentication – such as a password or token – leaves companies’ extremely vulnerable to data breaches from both internal and external threats.
The study found that the majority of professional and financial services companies (75%) were confident their access security was adequate to protect their company assets. However, the evidence points to a misplaced confidence, with a third of companies using passwords (34%) as the sole form of security access.
The trend is not likely to improve much over the next five years, with only two-in-five companies in the sector (21%) planning to introduce two-factor authentication alongside passwords. That leads to an alarming number of companies who rely on single-factor authentication only. Even a single breach can lead to significant loss of reputation and enormous cost and worry for a business and its customers; with the reuse of passwords so commonplace, attackers can easily leverage credentials obtained one place to access different resources within an organisation or breach other connected systems, such as their supplier’s or customer’s.
In addition, only 30% of firms in this sector ask their employees to change their credentials three times a year or less – the vast majority leave their systems open to abuse by not regularly requiring a refresh of credentials.
Craig Lund, CEO at SecureAuth, said: “IT security should be paramount for all professional and finance service companies as they are the custodians of their clients’ personal and financial details. Exposing their systems to risk puts their customers’ details under threat of exposure or abuse. To find that so many companies have password-only controls is alarming – they are one-step away from a major security breach.”
Multi-factor authentication – a combination of what a user knows, such as a password, in combination with what they have, such as a device, token or biometric signature – enables companies to build in further level of access controls. It protects IT networks against external attacks, but also prevents bad actors from moving laterally around a network once they are inside. As almost two-thirds (59%) of financial sector companies see their own employees as the biggest threat to security, it also enables them to set up controls as to what areas their own staff can access.
Based on SecureAuth’s findings, financial and professional service employees are in a sector that is most likely to work remotely using a variety of devices – mobile phones, tablets, laptops or from home-based desktop devices (compared to retail; manufacturing; enterprise, hospitality and leisure; IT and telecoms; and others). In total, employees spent 35% of their time accessing corporate resources remotely, the joint highest sector, along with the telecoms and IT sector.
Almost half (47%) of all employees regularly access their IT systems from three or more different devices in the average week – more than any other sector studied.
Alarmingly however, 16% of financial companies still admitted that they had only one method in place to control remote access, meaning they had little way to verify if the user was genuine.
“The Hatton Gardens heist demonstrates the lengths that criminals will go to get their hands on cash but more and more financial thefts are taking place in cyber space. The tools for a modern bank robber are compromised credentials that can be used to gain entry into a computer system, from there they can easily move laterally through the network and dig for information and electronic cash. Any employees who have compromised their password information, lost their token, or had their phone or laptop stolen, can expose the system to abuse if they don’t have the correct layers of security in place to step-up or block access to a network,” says Lund.
On the more positive note, the SecureAuth study found that a quarter (24%) of professional and financial services firms plan to change their access security in the next five-years away from passwords only. But many are finding that tokens – such as tags or pass cards – are becoming increasingly unpopular, with the industry expecting a slump from 19% usage across the sector today, to less than 4% in five years’ time.
Biometrics on the rise
In contrast, biometrics access controls are proving increasingly popular in the UK’s financial sector. Almost a quarter of financial companies (22%) now employ some form of biometric authentication as part of their access controls, a figure that is due to increase to 34% in five years’ time. But biometrics is not the safe access solution that many people expect. Used on its own, it can be as insecure, if not more so, than passwords. Replicated biometric data such as fingerprint or iris recognition data can never be changed once it has fallen into the wrong hands.
“It is vital to keep on top of security,” says Lund. “Biometrics is not the cure-all that many companies expect. Used on its own as a single authentication method, it’s no more secure than any other single-factor authentication system. It is vital that companies protect their assets with multiple layers of authentication including adaptive risk and context analysis, especially when handling sensitive financial information. A data breach can be damaging to the company involved, and devastating to the individual who suffers a data loss along the way.”
The research, conducted by Opinium for SecureAuth, studied the approach businesses have to their IT security and access control and all figures unless otherwise stated are from Opinium. Total sample size was 500 IT decision makers in organisations in the UK with 50 or more employees. Fieldwork was undertaken between 20th February and 4th March 2015. The survey was carried out online.
*Based on an average 8 hour working day and 233 working days a year excluding bank holidays and 20 days annual leave
SecureAuth’s identity and information security solutions deliver innovative access control for on-premises cloud, mobile, and VPN systems to millions of users worldwide. With adaptive and multi-factor authentication alongside and single sign-on in one solution, SecureAuth IdP’s unique architecture enables organizations to leverage legacy infrastructures while also embracing next generation technologies. This preserves existing investments while also meeting today’s security challenges. For the latest insights on secure access control, follow the SecureAuth Blog, follow @SecureAuth on Twitter, or visit www.secureauth.com
Atomic PR for SecureAuth
+44(0)207 478 7847