The latest numbers are brutal.

According to new data highlighted by SecureWorld, 82% of financial services organizations suffered a data breach or leak in the past 12 months. That’s staggering.

But here’s the kicker. 43% of incidents were linked to stolen or improperly managed devices and drives. No sci-fi 0-day attack tales here. This is a story about laptops walking out the door, disks not being wiped, unneeded data piling up, and the practical failure of policies that looked good on paper. Buckle up! Afraid of the regulatory lingo that might be in a blog of this nature? Fear not, for we have a jargon library at the end of this post to help you get safely through that jungle.

Dear choir: we’re still losing to basics

For customers, regulators, and boards, there is no difference between “operational” and “cyber” failures. It’s all security, and it’s all trust.

SecureWorld drew out some harsh truths from the Blancco 2025 Financial Services State of Data Sanitization Report, particularly for banks, credit unions, fintechs, and trading firms:

1. Endpoints are a liability, not an afterthought.
   Stolen or redeployed devices remain a major breach vector. Too many assets leave secure environments without verifiable, standards-based data sanitization.
   
   
2. ROT (Redundant, Obsolete, and Trivial) data is rotting through your risk budget.
   The AI projects that all materialized so suddenly and the accompanying historic archives generate massive volumes of Redundant, Obsolete, and Trivial (ROT) data that extend your attack surface, and also complicate your GDPR (General Data Protection Regulation), PCI DSS (Payment Card Industry Data Security Standard), and other regulatory obligations.
   
   
3. The right standards exist but they aren’t enforced.
   We already have the NIST SP 800-88 (Guidelines for Media Sanitization) and IEEE 2883 standards (Standard for Sanitizing Storage) for secure data erasure. Yet their adoption remains low, which is a classic governance decision, not a technology gap.

Security leaders know all this. Yet incidents keep happening.

Why? Because most security programs are still optimized for “keep them out”, while attackers have already shifted to “use what’s already inside”: valid accounts, trusted devices, unexpired tokens, remote access tools, and legitimate workflows. We already see this shift in the data, BitDefender reported in May 2025 that across 700,000 cyberintrusions they analyzed, attackers exploited such living-off-the-land techniques 85% of the time. Our own systems are being turned against us.

This is exactly where Keystrike comes in.

From perimeter thinking to presence assurance

At Keystrike, we begin from a brutal assumption:

The attacker is already inside your environment, with a valid account, a trusted device, or a foothold on a critical system.

If that assumption scares you, good. It should. Traditional controls only protect the perimeter of the network. Keystrike secures every session and user action in real time, ensuring that behind every action there is physical intent. This is the epitome of zero trust.

Keystrike Core Protector is built for this “post-breach, pre-disaster” window. Instead of only checking who logs in, we continuously verify that a human is physically at the keyboard, and whether every keystroke and session truly originates from a real human present at the endpoint, and not from:

• Remote desktop abuse, such as fake Help Desk calls
  
  
• VPN or RDP jump hosts that have been compromised
  
  
• Stolen laptops with cached credentials
  
  
• Scripted input or malware-generated keystrokes
  
  

That’s pretty powerful. To hack a financial institution, this means:

• A stolen or cloned device is not enough.
  
  
• A phished password is not enough.
  
  
• A hijacked session is not enough.
  
  
• An “approved” tool running on an “approved” machine is not even enough — unless there is physical intent behind it.

We call this inside-out security: turning the physical presence of an authenticated user into a high-assurance security control. This is a security signal and access control like no other that we have today. Just think about it.

Closing the gaps highlighted by the data crisis

To learn from the SecureWorld findings and take practical actions, there are two main lessons here for financial CISOs.

1. Fix device and data lifecycle (improve the hygiene)

• Enforce NIST SP 800-88 / IEEE 2883 compliance, and sanitize all data-bearing assets.
  
  
• Implement auditable IT Asset Disposition (ITAD), including a chain-of-custody.
  
  
• Aggressively reduce ROT data, an effort that aligns with data minimization obligations.

These steps are non-negotiable. But even they are insufficient.

2. Assume breach, then block abuse of “trusted” access

Traditional banking security stacks protect the perimeter but leave sessions and transactions exposed. Credential theft, session hijacking, and workstation breaches easily bypass multifactor authentication (MFA) and endpoint solutions (EDR), putting transactions and sensitive data at risk. 

What if financial institutions could secure the part attackers rely on most: the valid, trusted, already-inside access? In other words, what if we could continuously authenticate every input to prevent exploitation by today’s and tomorrow’s attackers?

That’s what Keystrike does. 

Here is how Keystrike’s Core Protector strengthens your security posture:

• Protect high-value transactions and privileged actions. Require strong presence assurance for core banking, trading, treasury, payment operations, and admin consoles.
• Nip rogue sessions and fraud in the bud. Detect when sessions are hijacked or automated, even if they appear “legitimate” on the surface. 
• Defend critical infrastructure and improve regulatory alignment. Support a zero-trust, “assume breach” model that complements PCI DSS, SOC 2, NIS2/DORA-style expectations, and internal control frameworks.

Financial CISOs, you have a new mandate

The data crisis in finance no longer revolves only around sophisticated malware or exotic exploits with some AI spice added in. Succinctly, the problems are:

• Basic failures in device and data lifecycle.
  
  
• Over-collection and under-deletion of sensitive data.
  
  
• Blind trust in endpoints, sessions, and users that “look fine”.

If you’re ready to treat “who is really at the keys?” as a core control, rather than an afterthought, then the Keystrike Core Protector becomes your last line of defense.

Book a 20-minute session with our team to map how our presence assurance fits into your financial security stack and regulatory landscape.

‍

Sources:

secureworld.io

https://thehackernews.com/expert-insights/2025/05/living-off-land-what-we-learned-from.html

https://blancco.com/resources/rs-financial-services-data-sanitization-report/

Jargon Library

GDPR 

General Data Protection Regulation

The EU (and EEA) law that governs how organisations handle personal data of individuals in the EU/EEA, That is, if you collect or process information that can identify a person (customer, employee, user), GDPR tells you what you’re allowed to do, what you must protect, and what rights that person has.

IEEE 2883

The IEEE Standard for Sanitizing Storage (IEEE 2883-2022). It’s a modern, technical standard that tells you how to securely erase data from today’s storage devices so it can’t be recovered, even with advanced forensics.

ITAD

Auditable IT Asset Disposition

The controlled, documented process for retiring, redeploying, recycling, or destroying laptops, servers, drives, and other hardware in a way that guarantees data is securely removed. With “Auditable” you can prove every step: asset inventory, chain of custody, NIST SP 800-88 / IEEE 2883-compliant sanitization or destruction, vendor controls, and certificates. So if a regulator, customer, or board asks, you can show exactly where each device went and that no data walked out the door.

NIST SP 800-88 

The “Guidelines for Media Sanitization”, the standard that tells you how to properly wipe, purge, or destroy data from drives and devices so it cannot be recovered. It is published by NIST (US), but used globally as a best practice. NIST SP 800-88 helps organisations decide how to sanitize different types of media (laptops, servers, SSDs, mobile devices, tapes, etc.) based on how sensitive the data is.

PCI DSS 

Payment Card Industry Data Security Standard

The global security standard that applies to any organization that stores, processes, or transmits payment card data (Visa, Mastercard, AmEx, etc.). Can be seen as a rulebook created by the major card brands (via the PCI Security Standards Council) to reduce card fraud and protect cardholder data.

ROT

Redundant, Obsolete, and Trivial

Redundant, Obsolete, and Trivial (ROT) data is information that’s duplicated, outdated, or low-value (like temp files, old drafts, or irrelevant logs). It bloats storage, hides real risks, and expands your attack surface without adding any business value.