The corporate files of banks and wealth managers - as well as many other forms of business - are greatly exposed and vulnerable to cyberattacks, a US software firm says as a result of extensive tests. 

New York-based  has published the findings of risk assessments conducted for potential customers based on a limited subset of their file systems. The results show an average of 9.9 million files per assessment were accessible by every employee in the company, a vast level of exposure that makes it vulnerable to hackers stealing company data. 

The average company had four million folders, compiled of 35.3 million files. Of these 9.9 million files (28 per cent) were open to all network users whilst 2.8 million folders (70 per cent) contained data untouched for the previous six months. Moreover, of the 25,000 user accounts examined, 7,700 (31 per cent) were “stale” having not been logged into for the past 60 days, it said.

Speaking to this publication, David Gibson, Varonis' vice president of strategy and market development, warned of the dangers this exposure posed to the financial sector. “Banks and wealth management firms are no different from other industries; many have failed to focus their cyber security efforts on the assets they need to protect – the huge volumes of data they store,” he said.

“If employees have access to far more data than they need, it’s a big problem. If the firm isn’t watching and analysing how employees are using all that data to spot breaches, it’s a huge problem. Many financials have tackled this problem successfully by monitoring and analysing use to spot breaches, mapping their data stores and locking down sensitive and stale data before it falls into the wrong hands,” Gibson continued.

The report’s findings come at a time when banks have begun to recognise the importance of cyber security. Between the first half of 2013 and the second half of 2015, the Bank of England's systemic risk survey, for example, found the number of firms who viewed cyber-attacks as a top-five security threat rise from 1 per cent to 46 per cent. Such findings have been influenced by recent high profile cyber-attacks such as those on the US Inland Revenue last month and Standard Chartered last November. Such attacks come at a heavy price, with the Centre for Strategic and International Studies calculating that cybercrime costs the global economy $575 billion a year. In 2014 JP Morgan suffered a data breach that affected 76 million accounts. On another measure of the impact on JP Morgan, the Ponemon Institute estimated that a data breach costs an average of $154 per record, suggesting the bank lost $12.7 billion in just one attack. 

Consequently, cyber-security has become a fast growing business, with firms eager to adopt the latest defences against hackers. Gartner estimates global spending on IT security is set to increase from $71 billion in 2014 to $109 billion by 2020, with the London Stock Exchange welcoming the first exchange traded fund tracking the cyber security industry to list on its markets last September. Subsequently cyber security experts are typically earning around £750-£1,000 a day, with Richard Beck, head of cyber security at QA recently commenting that “demand for cyber security professionals is set to outstrip supply by a third before the end of decade”.

The UK government has said it aims to do more to deal with the increased threat of cyber hacking, with George Osborne, finance minister, committed to raising government spending on cyber security to £1.9 billion by 2020. The creation of the new National Cyber Security Centre is moreover expected to work with the Bank of England to produce advice for the financial sector for managing cyber security effectively. One of the government’s programmes is called Action Fraud.

However, Alan Sheeley of Pinsent Masons has his doubts about UK initiatives: “The concern I have is that this will this become another Action Fraud where this organisation also becomes inundated with calls and claims and are unable, due to resources, to actively investigate the cyber-attacks and pursue the perpetrators”. 

In other regions of the world, cybercrime is also a concern. For example, in Hong Kong, the regulatory authorities have frequently warned the public about fake bank websites that are designed to grab people’s login and password details. In September last year, for example, the Hong Kong Monetary Authority said there were 17 reported cases of distributed denial-of-service attempts in that year at the time of the report. Breaches had included Kowloon Global, a wealth manager, and Public Bank, of Malaysia.