The security risks of file sharing and collaboration in financial services firms

Highly regulated organisations such as those in the financial services industry are generally considered the most secure enterprises. According to a global survey by Capgemini, 83% of consumers trust banks and insurers not only with their financial assets, but also when it comes to their personal data.

This is sensible given the wealth of sensitive personal information that FSI organisations collect from consumers, but this is also the very reason why they have always been a prime target for cybercriminals. Just a few weeks into 2021, high-profile security breaches affecting SolarWinds and the Reserve Bank of New Zealand have prompted the Monetary Authority of Singapore to announce new rules to better mitigate cyber threats as they adopt new technologies. 

A number of past attackers targeting FSI organisations have gained access to databases full of records stored as structured data. But there are two areas that receive less attention: unstructured data (such as Microsoft files, PDFs, and image files), and the associated risks for the many internal business processes that rely on these files. These formats are not only accessible and stored easily for sharing, but also rich with personal and business information which makes them vulnerable to unauthorised access. 

Cybercriminals know this all too well. Attacks targeting unstructured data pose a significant threat and, in most cases, highlight greater flaws in internal processes.

Email is a constant problem 

As with most businesses, file sharing via email is a very common practice for FSI organisations. Email allows for fast and easy distribution of information and has become one of the most popular attack vectors. A new global research report from email security provider Mimecast has revealed that 60% of organisations expect to suffer an email-borne attack in 2021.

Despite recent advances in email security, including encryption and digital signatures, the incompatibility between different e-mail servers poses risks for sensitive information sharing with external parties. For instance, when a copy of an email and any associated information such as file attachments are sent from one user to another, multiple copies of the message are also stored on the recipient’s servers and devices. It is difficult to guarantee if an outside device or email server is secure, and furthermore, it is beyond the control (and security policies) of the organisation where the email originated. 

Missteps or human errors also compound the risks wherein employees share sensitive information by mistake. Recently, Intel was forced to issue its financial results earlier than expected after an internal error made public some of the information before it was due to be released. Such incidents demonstrate how a simple mistake can become a costly organisational problem.

Consumer-grade file sharing applications

The prevalence of web-based file-sharing systems can also expose financial services firms to cyber threats. The accessibility of these consumer-grade platforms is an attractive alternative for employees because it enables them to share and store big files effortlessly in the cloud, as well as to easily collaborate with external clients. This is concerning when they are accessed outside of the organisation’s security parameters. One of the most severe data breaches that involved a third-party file sharing service happened in 2016, when the login credentials of DropBox’s 68 million users were stolen and sold in the Dark Web. Closer to home, a recent breach of a third-party file sharing system used by Singtel resulted in the data of 129,000 customers being compromised.

Securing Unstructured Data and Related Processes with EFSS

There is often a tension between user experience and security in adopting enterprise software technologies. Applications with several layers of security can be cumbersome for employees to use, which might cause them to use workarounds to get their jobs done faster. But the good news is, organisations are realising the importance of fortifying their security posture that also strikes a balance with convenience. 

Organisations must start by investing in the right tools that meet their specific security and productivity needs. This is where Enterprise File Sync and Share (EFSS) systems come in. From a security standpoint, the right EFSS system provides end-to-end encryption: on the server, in transit, and on any device.

However, as with many other technologies, the process of choosing the right EFSS system must begin with a clear understanding of the organisation’s use cases for the technology. Here are some key considerations for financial services organisations when choosing a secure EFSS system for their business:

  1. Robust data protection capabilities in compliance with market-specific regulatory requirements.
  2. Support for multiple authentication methods to enroll or verify both internal and external users across different environments.
  3. Flexible deployment or delivery options – cloud, on-premises, or hybrid.
  4. Administration support to assign roles, revoke access, manage permissions and access rights with shared enterprise data.
  5. Seamless file synchronisation and sharing across all devices or platforms that have access to enterprise data.

As the modern enterprise evolves, corporate data will increasingly travel and reside across multiple devices and forms. Those that fail to provide an enterprise-grade, IT-controlled file sync and share solution run the risk of employees using an insecure platform or finding other workarounds. When this happens, they lose visibility over how corporate data is being stored or shared. Deploying solutions that deliver advanced collaboration and security features without compromising compliance will allow FSI organisations to stay in control while ensuring productivity goals are met. In this way, they can also be confident that the risks associated with unstructured data are mitigated in the long run.