Apr 3 2020
O365 Security Facts, Figures and Best Practices for Financial Organizations
Did you know that most confidential data is kept in Office documents, and once a hacker cracks an O365 admin account, they have access to the entire tenant? Office 365, with over 200 million users, is the new cybercriminal hot spot. More bad news – traditional security tools do not protect against O365 specific vulnerabilities and attacks.
Financial services firms are tantalizing targets, and data breaches are rampant and havoc wreaking. Just ask Capital One, with 100 million customers’ data exposed, JPMorgan Chase where data from 76 million households was stolen, and First American Financial Corp with 885 million records compromised.
Defining the Problem
Don’t believe the threat to finance is that bad? Some 35% of all data breaches affect the financial services industry experiences, found Forbes. Not only is the data so valuable it is impossible for hackers to resist, but financial IT systems are so complex and interconnected, there are myriad ways to break in.
Security attacks never stop for the finance market. Technology researcher Vanson Bourne surveyed some 100 UK business decision-makers in financial services organizations. Some 70% were victims of a security incident in the last year. The researchers said that most security incidents were “from employees failing to follow security protocol or data protection policies.” Other factors “included the introduction of malware and viruses via 3rd party devices, including USBs and BYOD (32%), file and image downloads (25%) and employees sharing data with unintended recipients (24%).”
If that sounds scary, there is far worse news. “Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack,” the Boston Consulting Group argued. “Dealing with those attacks and their aftermath carries a higher cost for banks and wealth managers than for any other sector.”
Most financial institutions have security management and monitoring tools that alert IT when things are suspicious. The problem is the sheer number of events. Even a small fraction flagged as suspicious leads to “alert overload.” In fact, MasterCard security professionals interviewed by New York Times said there were some “460,000 intrusion attempts in a typical day, up 70 percent from a year ago.”
Ovum research on banks discovered that some 40% of banks surveyed receive 160,000 mistaken, redundant or irrelevant alerts daily. One cause of alert overload is security tool overload. Here, 73% of the banks surveyed run at least 25 different security tools.
Institutional Challenges Just as Tough as Hackers Themselves
IT well knows the danger of hackers, but those that control the budget purse strings don’t always share IT’s concerns. The result of minimal buy-in from executive leaders leads to small security budgets, and opens the door further to cybercriminals.
Security Magazine argues that cybersecurity is less of a priority than compliance or supporting high customer satisfaction. “Leaders at smaller firms are often convinced that their firm is not worth the attacker’s time or effort,” the magazine argues. “This leads to a dangerous stance of security complacency, an attitude that nothing further is required to protect the firm, based on their own erroneous assessment of limited risk.”
Taking Security Seriously Requires IT Maturity
We mentioned the institutional challenges that detract from effective and deep security efforts. Accounting firm Deloitte has four levels of IT maturity ranking related to financial institutions’ security profiles, which include:
“Partial: At these organizations, cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc (and sometimes reactive) manner.
Informed: This maturity level is characterized by institutions where management has approved risk management practices, but these practices may not be established as policy across the organization.
Repeatable: Here, an organization’s risk management practices are formally approved and expressed as policy.
Adaptive: At this highest maturity level, organizations adapt cybersecurity practices “based on lessons learned and predictive indicators derived from previous and current cybersecurity activities.”
Learn About 26 Office 365 Security Pain Points – and How to Cure Them
CoreView has four white papers showing 26 common O365 security problems. Topics include:
Find Security Holes for FREE
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.