Thales today released the latest iteration of the 2023 Thales Data Threat Report – Financial Services edition. This year’s report finds much higher levels of credential-based attacks in this sector than the average enterprise (56% versus 42%), with greater concerns around ransomware, quantum computing and even human error leading to breaches.

Nearly half (47%) of IT professionals across all sectors surveyed believe that security threats are increasing in volume or severity with 48% reporting an increase in ransomware attacks. More than a third (37%) experienced a data breach last year, with over a fifth (22%) reporting that their organisation had been a victim of a ransomware attack.

Financial services respondents identified third party attacks (58%) along with infrastructure compromise and credential compromise (both 56%) as the top three types of cloud infrastructure attacks they’re seeing an increase of.

These are just a few of the financial services insights from the latest Thales Data Threat Report, conducted by 451 Research. The annual report looks at the latest data security threats, trends and emerging topics based on a survey of nearly 3,000 IT and security professionals in 18 countries, of which 140 were financial services companies.

Human error and the impact of ransomware

Simple human error, misconfiguration or other mistakes can accidentally lead to breaches – and respondents identified this as the leading cause of cloud data breaches. Human error is seen as the greatest security threat amongst financial services organisations, with 79% selecting it and almost a third of those ranking it as their top threat (30%). It’s also the leading cause of cloud data breaches within this sector, to a greater degree than average (61% versus 55%), while vulnerability exploitation is a distant second at 22%.

Meanwhile, the severity of ransomware attacks across all types of organisations appears to be declining, with 35% of 2023 respondents reporting that ransomware had a significant impact, compared to 44% of respondents reporting similar levels of impact in 2022. Spend is moving in the right direction, too, with 61% reporting they would shift or add a budget for ransomware tools to prevent future attacks – up from 57% in 2022 – yet organisational responses to ransomware remain inconsistent. Only 49% of enterprises reported having a formal response ransomware plan, while 67% still report data loss from ransomware attacks.

Addressing the challenges of digital sovereignty

Digital sovereignty is becoming more top of mind for data privacy and security teams. Overall, the report found that data sovereignty remains both a short- and long-term challenge for enterprises, but the concerns those in financial services were slightly lower than average (77% versus 83%). This may be an indication that regulatory requirements have already pushed them to implement data controls that can address digital sovereignty requirements. Almost half of respondents across the financial services sector (44%) consider full data encryption to be an acceptable measure to achieve various levels of digital sovereignty – 5% higher than average.

More sensitive data is being encrypted, but only 46% of this kind of data in the cloud is encrypted on average by financial services organisations, suggesting there is still a great deal of progress to be made. More of these types of organisations at least control all their own encryption keys (21% versus 14%), suggesting a higher level of confidence in their data protection capabilities and again likely a result of additional regulatory requirements. Financial services organisations also have an above-average deployment of strong MFA, with a significant increase in adoption moving from 62% in 2021 to 71% this year.

Emerging threats from quantum computers that could attack classical encryption schemes are also a cause for concern for organisations across all sectors. The report found that Harvest Now, Decrypt Later (“HNDL”) and future network decryption were the greatest security concerns from quantum computing – with 62% and 55% reporting concerns respectively. While Post Quantum Cryptography (PQC) has emerged as a discipline to counter these threats, the report found that 62% of organisations have five or more key management systems, presenting a challenge for PQC and crypto agility.

Chris Harris, EMEA Technical Associate Vice President, Data Security Products at Thales, comments: “Enterprises continue to see a serious threat landscape, and for the financial services sector in particular, they’re both seeing and experiencing even more ransomware attacks than the average. Our findings indicate good progress is being made in certain areas, including MFA adoption and increased use of data encryption, and the financial services sector is ahead of average progress in certain areas. However, there are still a lot of security gaps regarding data visibility. Four in five (79%) FS organisations ranked human error as their greatest security threat, something which is exacerbated by a lack of visibility.

“In an increasingly cloud-first world, organisations must maintain better control over their data so they can serve their stakeholders with greater safety and trust. Few other sectors rely on trust as fundamentally as the financial services, making this additionally important. As data sovereignty and protection regulations around the world tighten, data protection needs to become simpler to manage, with better automation and consolidated management.”