Finance sector vulnerable to insider threats as workers share passwords despite awareness of risks

A quarter of finance sector workers state they are frustrated with employer security policy, with one in ten admitting they actively attempt to circumvent it.

  • Wednesday, 3rd September 2014 Posted 10 years ago in by Phil Alsop

Workers in the finance sector in the US and UK are frustrated with the security restrictions their employers implement and have a higher tendency to flout policy than other industries, new research from security software specialists IS Decisions has revealed. Password sharing is more common than average in the finance sector, with just under a quarter (24%) sharing their work related passwords. This is despite a higher majority than in any other sector (69%) acknowledging awareness that it represents a risk to their employer.


One quarter (25%) of finance sector employees are frustrated with their employer’s security policies, and 10% of those admit actively attempting to find workarounds.
This findings, which are revealed in IS Decisions’ new report ‘From Brutus to Snowden: a study of insider threat personas’, suggest that the strict policy restrictions often required in finance are causing widespread frustration which in turn is leading to more common attempts to flout those restrictions.


Another area for particular concern in the finance sector is security policy around employee termination. A full 41% of finance sector workers claimed to have had access to a former employer’s data or systems after leaving a job, 5% higher than the cross-industry average 36%.


Asking employees in finance what might help motivate them to be more security conscious and not share passwords, the most common response (29%) was if sharing their login with someone else restricted their own access. Finance sector workers were also more likely than average (12% compared to 8%) to say that a better example set by management would encourage them to behave more responsibly.


François Amigorena, CEO of IS Decisions, said, “Naturally organisations in the financial sector are operating with especially sensitive data and frequently are required to be compliant with a number of regulatory requirements. And employees in the sector are more aware of security risks than in other industries. Yet, it seems that good awareness does not translate into good behaviour, with a higher propensity for bad practice such as password sharing and more common purposeful attempts at circumventing restrictions.


“Then the law sector’s poor record for following employee termination security process show that while attention may be being paid to regulatory requirements, other security basics are being allowed to slip.


“The lesson here is that while regulations have to be adhered to, attention to detail is required. Users apparently understand that password sharing is a risk, yet they are still doing it; do they know why it’s a risk? Are their restrictions applied specifically to this behaviour? And importantly, are the senior people setting the right example?”