Cybersecurity in financial services: Bad password hygiene, shadow IT

Oddly enough, however, financial services professionals have a healthy fear of data breaches.

(Photo: Shutterstock)

The pandemic has changed the nature of the workforce, and employers are not keeping up with the cybersecurity demands of the new environment. “Companies are getting hacked, employees are resigning and the battle for talent is intensifying,” according to research by the Mobile Mentor,

The Endpoint Ecosystem study explores how employees perceive privacy, security, productivity and personal well-being in the finance industry. The goal of the study is to educate and inform employers how to prevent security breaches, and then how to attract and retain motivated employees. Researchers define the endpoint ecosystem as the combination of all devices, applications and tools, plus the employee’s experience using that technology.

The study drew three conclusions:

Finance is more security-conscious than other industries. Finance employees have a healthy fear of data breaches, seem to understand the need to protect company data and receive regular security awareness training.

These numbers are much higher than for health-care, government or education workers.

Forty-two percent believe they have not been adequately trained on security awareness, although data show that 83 percent of finance workers receive monthly or quarterly training. Nearly 60 percent say they see a security policy every time they log onto their computers.

Thirty-seven percent of Gen Z employees admit they saw a security policy they day they joined the company but didn’t read it.

Finance has a password hygiene problem. Employees regularly save work passwords in their personal journals and on their personal phones. Seven in 10 choose passwords that are easy to remember, and 18 percent reset their password every day.

The good news is that finance has better password hygiene than other industries, but it still is very poor.

The vast majority of cyberattacks start with compromised credentials. The problem is worse for younger workers: Two in 10 manage more than 50 personal passwords and 50 work passwords, and 45 percent of younger employees are doing password reset every day.

The more passwords a person has, the more likely they are to pick easy passwords with predictable patterns. Employers need to commit to going fully password-free or provide their employees with a password management tool.

Finance has a shadow IT problem. Finance employees have a mature attitude toward security at work — until they go home. Forty-six percent allow their family members to use their work devices. Half of finance employees work around security policies and prefer to use unapproved apps and bring-your-own devices (BYOD).

Nearly half of finance workers have BYOD enabled, including 53 percent of remote workers and 29 percent of office workers. Eighty-five percent of employees believe their company respects the employee’s personal privacy, but the greatest area of doubt and suspicion is still the management of BYODs.

Unsecured personal devices create huge risk when data are exposed on an unmanaged public app or on an unmanaged device.

Shadow IT will get worse as remote work becomes the norm. Employers need to identify the right tools to empower employees and reduce their need for unapproved apps.

“Finance fares better at endpoint security than the other studied industries and deserves recognition,” researchers concluded.

“However, finance suffers from slow and inefficient employee onboarding, likely due to the complexity of their endpoint configuration and the many applications required to operate.

“Finance is challenged with the presence of Shadow IT as employees perceive their security policies impede their work. Finally, password management is a major problem for the finance industry.”