Users should be at heart of FCA or PCI compliance strategy

Financial services is one of the most heavily regulated industries, and it’s easy to see why. Financial data is naturally sensitive, and is frequently of great interest to would-be criminals. Financial services firms, big and small, deal with all kinds of data — from personal payment card numbers to the workings of publicly listed companies — and are responsible for safeguarding this information.

Given the importance of this data, employees simply must adhere to strict security practices. But when employees are human, mistakes happen. Employees forget to log off, leaving a computer unattended for an unauthorised person to take advantage. Employees share passwords with others without thinking of the security consequences. Lax user security is often the root cause of some of the biggest external security breaches — especially when passwords fall into the wrong hands.

The Financial Conduct Authority’s (FCA) “Financial crime: a guide for firms” part 1 and part 2 go a long way to providing guidance for financial companies in addressing user security, with a comprehensive set of security standards. And for those companies that handle cardholder data, PCI DSS provides requirements that are equally if not more granular.

However, the current level of compliance to the FCA’s requirements and PCI DSS in the UK is significantly below satisfactory levels. Research from global IT security company IS Decisions has found that financial companies up and down the country are flouting user security requirements left, right and centre — and therefore putting sensitive information at risk.

Here’s what we found against specific requirements from the FCA and PCI DSS. Make sure you don’t fall into the same trap.

Insufficient training

Chapter 6.2 in the FCA’s Financial crime: a guide for firms, part 2 document has a section dedicated to training and awareness and what organisations should do. PCI DSS has ramped up the importance of training as of June 2015 by making it a specific requirement rather than best practice. But despite the rising importance, a whopping 51 per cent of workers do not receive security training as part of their induction when they join — and just 37 per cent receive ongoing training.

Lack of security policies

In addition to training employees, the FCA states that firms must have up-to-date policies in place, and procedures relating to risks of financial crime which should be readily accessible, effective and understood by all relevant staff.

The 12th and final Requirement of PCI DSS is dedicated entirely to maintaining “a policy that addresses information security for all personnel.” Security policies and procedures must “clearly define information security responsibilities for all personnel” and organisations must “review their security policy at least annually.” However, just 57 per cent of those in the UK are even aware of the existence of a documented information security policy in their organisation.

Poorly conducted employee background checks

The FCA clearly identifies background checks as good practice, especially if staff are in high-risk roles, taking on a temporary position or are working in employment agencies. But our research shows that the majority (66 per cent) of financial services are not aware whether or not their organisation performs employee background checks. It might be that checks are in place in some portion of these.

Unawareness of security procedures

The FCA recommends that organisations perform regular internal audits that review data security covering “all relevant areas of the business including IT, HR, training and awareness, governance and third-party suppliers.” However, just 26 per cent of UK employees are aware that their company regularly produces security audit reports. This figure only reports awareness, so the actual figures of whether companies do produce documented security policies or audits may be higher — but if that’s the case, then senior management isn’t communicating procedures with employees effectively, which is a worry in itself.

Policy communication with everyone in an organisation helps reinforce the importance of security and may even dissuade malicious activity from those who realise they may get caught.

Lack of unique user login credentials

A specific requirement of both the FCA and PCI DSS, employees must use unique user logins to access the networks, so individual users are easily identifiable. and this is only possible by ensuring their network access is via a login. Furthermore, employees must not share logins.

It might seem like a basic requirement, but nearly a quarter (24 per cent) of finance workers do not have a user login to access their employer’s network. A third (33 per cent) do not have a unique username and password for access, suggesting that 9 per cent do log in, but using shared details — which is almost as insecure as not having logins at all.

Unrestricted data access

The FCA supports the need for financial organisations to ensure that they have procedures in place to ensure that employees can only access information that they need to. Our research shows that 83 per cent think that the data they have access to is necessary for their role. However, it was worrying to see that 14 per cent believe that they have a level of access that is greater than necessary.

Ex-employees access to data

PCI DSS leaves no room for interpretation when it comes to different employee roles within an organisation. Requirement 7.1 states “Limit access to system components and cardholder data to only those individuals whose job requires such access.” So when employees move roles, organisations must adjust access rights accordingly. And for exiting employees, Requirement 8.3.1 states that administrators must “revoke access for any terminated users” and ensure that “all physical authentication methods — such as, smart cards, tokens, etc. — have been returned or deactivated.”

Research showed that only 34 per cent of organisations have the ability to set and manage temporary access rights. And when employees move within a company, just 27 per cent review and adapt access rights. The most worrying finding of all though is that 48 per cent do not immediately revoke access rights when employees leave — leaving a massive window of opportunity for an ex-employee to steal sensitive information.

When respondents were asked if they had access to their previous employer’s networks post-employment, 9 per cent said yes and only 67 per cent of employees underwent a formal de-registration process before leaving.

What you can do

Technology only forms part of the security answer. Companies also need to implement effective IT security training programmes and ensure that processes are in place to safeguard data. While navigating PCI and FCA requirements can be a real headache, IS Decisions has put together a helpful checklist that can help you address compliance and user security.

Make sure you can demonstrate your compliance strategy at a much higher level than your competitors.

François Amigorena, CEO, IS Decisions

Image source: Shutterstock/donskarpo