More than 1 in 10 employees in financial services institutions have been found to be uploading sensitive data to personal applications, according to a research report by Netskope Threat Labs, the firm that analyzes defences against cloud threats affecting enterprises. The report reveals the scale of use of personal apps and GenAI within the sector and warns about the risk they pose to regulated data.
The firm’s research focused on 3 major aspects affecting the financial services sector – personal app use in the workplace, GenAI use and the evolution of social engineering to target employees in the sector.
USE OF PERSONAL APP
It found that 13% of financial services employees upload sensitive work data to personal apps and as much as 74% of personal app data policy violations involved uploads of regulated personal and financial data, and 11% intellectual property. It was also found that LinkedIn, Facebook and Google Drive were in the forefront among applications that saw uploads of sensitive data. ChatGPT was also found to be one of the favorites.
The study said 83% of financial services organizations have controls to actively block their users from uploading data to personal apps – including controls that disallow uploading any data to certain personal apps or accounts. There are also more nuanced controls integrating other technologies, such as Data Loss Prevention (DLP) and real-time user coaching. DLP has long been popular for reducing personal app risk in the financial services sector, where it is used by 70% of organizations, ahead of the global average of 66%. Use of DLP for controlling GenAI has increased from 35% to 52% within the sector over the year.
95% FIRMS USE GENAI APPS
The research found that 95% of financial services firms use GenAI apps and ChatGPT was the most used. It said Microsoft Copilot experienced rapid growth throughout the year, as did Google Gemini, Anthropic Claude, writing assistant Quillbot, and the presentation assistant Gamma. Data policy violations involving GenAI apps impact intellectual property, regulated data and source code at a similar level (35%, 31% and 30% of policy violations respectively), the research revealed.
The study found that financial services organizations are still in the process of putting controls in place to reduce the risks associated with GenAI apps while their use continues to increase. “As much as 90% of organizations actively block at least one GenAI app, and the number of apps blocked per organization continues to grow,” the study said.
SOCIAL ENGINEERING THREATS
The study found that nearly 1.5 out of every 100 users in the financial services sector click on a phishing link or attempt to download malware each month. And 9.8 out of 1000 users are tricked into downloading malware and 4.7 out of 1000 visit a phishing page.
Netskope said attackers are planting malware in popular business cloud apps workers in financial services are using every day. It cites code-sharing platform GitHub as the most popular cloud application for delivering malware to employees, followed by Google Drive.
The study also brought out that nearly half of the tracked phishing attacks mimicked cloud apps and banking institutions. Microsoft was the most commonly mimicked brand among cloud phishing attacks.
One of the worrying factors is that getting phishing pages listed on search engine results, also called SEO poisoning, is becoming an effective technique to trick financial sector workers into downloading malware, the study said.
The study said while Netskope tracked a global increase in phishing over the past year, phishing rates in the financial services industry remained relatively stable as the rates in other industries have caught up.
Microsoft was the most commonly mimicked brand among cloud phishing attacks, while DocuSign and Adobe baits were also frequently used to steal login credentials for various other services.
SOME POSITIVE POINTS
The study found that personal app use is lowest in banking, where only 8% of users regularly send data to personal apps.
Generative AI use is also lowest in the banking sector, where 8% of organizations have no GenAI use, only 5% of the user population regularly use GenAI apps, and organizations use 8 apps on average.
While social engineering is still prevalent in banking, users getting tricked into downloading malware (8.2 out of 1000) and visiting phishing sites (4.3 out of 1000) are lower than in finance and insurance.
The study suggests that that financial services organizations should review their security posture to ensure that they are adequately protected against the 3 risks through:
Inspecting all HTTP and HTTPS traffic (cloud and web) for phishing, malware and other malicious content, ensuring that high-risk file types, like executables and archives, are thoroughly inspected using static and dynamic analysis before downloading, and blocking access to apps that do not serve any legitimate business purpose or pose a disproportionate risk to the organization.
· Blocking downloads from apps and instances not used in an organization to reduce the risks only to those apps and instances that are necessary for the business.
· Using DLP policies to detect potentially sensitive information – including source code, regulated data, passwords and keys, intellectual property, and encrypted data – sent to personal app instances, GenAI apps, or other unauthorized locations.
· Regularly reviewing AI app activity, trends, behaviors and data sensitivity to identify risks to the organization and configure policies to mitigate those risks.
· Using an Intrusion Prevention System to identify and block malicious traffic patterns.
· Using a behavior analytics platform to identify hidden threats, like compromised devices, compromised accounts, and insider threats.
· Using Remote Browser Isolation technology to provide additional protection when visiting websites that fall into categories that can present a higher risk, like newly observed and newly registered domains.