UK financial institutions “unaware” of third party risks posed by open banking

Identity and access management solutions specialist Bomgar has launched its 2018 Privileged Access Threat Report. The global survey explores the visibility, control and management that IT organisations in the US and Europe have over employees, contractors and third party vendors with privileged access to their IT networks.

According to the report, formerly called the ‘Secure Access Threat Report’, 72% of UK financial services firms are unsure as to whether they had possibly or definitely suffered a breach due to third party access, while 69% also said they had possibly or definitely suffered an insider related breach in the last year.

With the advent of open banking, the perimeter of a bank’s sensitive data has now extended outside of its own internal network. That being so, financial institutions need to make their customers’ information available through a whole host of third party providers.

In fact, the research highlights that 72% of UK financial organisations have seen an increase in the vendors that they work with in the past year. This is alarming when compared to the finding that the same number of UK financial organisations claimed that they could have experienced a breach due to third party access in the last 12 months.

In addition to this uncertainty, 69% of UK financial services firms admitted to having already suffered a serious information security breach or expect to in the next six months due to third party access and insider threats.

Despite this, Bomgar’s research discovered that financial services is the most trusting industry when it comes to network access, with 48% of these organisations claiming that they completely trust third party vendors. This is interesting as financial services was also found to be the most likely industry to experience an insider or third party breach in the last year compared to the other industries analysed in the research, which included the manufacturing, healthcare, telecoms, Government and professional services sectors.

Dangers should not be underestimated

“The dangers that vendors and other third parties present to the financial services industry shouldn’t be underestimated,” commented Stuart Facey, vice-president of the EMEA at Bomgar. “More worrying, though, is that financial institutions seem unaware of the root cause of the threat. The unpredictability of these third parties puts businesses at increased risk. They often have a high level of privileged access to internal networks and sensitive information over which financial services organisations have poor visibility and control, potentially leaving a key attack vector unsecured. Third parties may also have a poor cyber security posture.”

However, a large part of this risk sits with the organisations themselves. The report finds that 69% rely on third party vendors too heavily, while 76% admit that having cultures that are too trusting of partners poses an active risk to their business.

“Following on from the Equifax breach, financial institutions need to realise the fiscal and reputational implications that these incidents can have and assess how much access they give to third parties that operate within their network,” stated Facey. “With open banking on the rise, the risks that come from sharing data and network access to an ever-expanding list of partners is only going to grow.”

The report does show that some organisations are managing these risks with a privileged identity and access management (PIM/PAM) solution. These same organisations experience less severe security breaches and have better visibility and control than those that use manual solutions or no solution at all.

In fact, less than half (34%) of organisations using PIM/PAM experienced a serious breach or expect to in the next six months. This compares to 66% of those without control of their privileged users.

Technology and automated processes

“As the vendor ecosystem grows, organisations need to accept that the way to mitigate risks is by managing privileged accounts through technology and automated processes that not only save time, but also provide visibility across the institution’s whole network,” concluded Facey. “By implementing cyber security policies and solutions that also speed business performance, organisations can begin to seriously tackle third party risks.”

*1,021 key decision-makers with visibility over the processes associated with enabling internal users and external parties to connect to their systems completed the survey in February. Those surveyed were all IT professionals across operations, IT support/Helpdesk, IT security, compliance and risk or network/general IT roles. Respondents were from a range of industries, including manufacturing, finance, professional services, retail, healthcare, telecoms and the public sector. The survey was conducted across the UK, the United States, Germany and France.

*Download the report here:

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts