Cloud data vaulting services have become increasingly prevalent in the financial services market, especially with the growing digitalisation of customer transactions and low tolerance for downtime. However, are the risks posed by holding sensitive data in cyberspace being properly addressed?
In response to a freedom of information request, the Information Commissioner’s Office (ICO) revealed that the financial sector attracted 33 per cent of all financial penalties for data breaches during 2015-16. Shockingly, financial firms accounted for only 6 per cent of the total number of incidents reported.
Clearly the financial impact of a breach is more severe in the financial services vertical than in others, and managers and executives in the industry are well aware of cybersecurity risks. In a Cloud Security Alliance survey [PDF] on how financial services firms are using the cloud, 100 per cent of respondents had security concerns about cloud adoption. Their top concerns were data governance, compliance issues, data confidentiality, data breach and data loss – and rightly so.
To prevent the likelihood of a costly data breach, financial services firms should take the following measures to address concerns surrounding data in the cloud.
Consider specific compliance requirements
Regulations and operational standards such as PCI-DSS, EU Data Protection Regulation and ISO have strict requirements for data handling, including guidelines for data availability, privacy and the right to be forgotten.
Disaster recovery as service (DRaaS) can help make electronic records easily accessible by automating data vaulting processes. DRaaS can help fulfil other compliance requirements as well, as long as the solutions provider is able to adhere to strict security guidelines, including but not limited to the following:
- Encryption of data in transit and at rest
- Compliance with BCI standards
- 24/7 data centre monitoring and employee background checks
- Transparency about where data stored in the cloud is transferred (some compliance obligations restrict the flow of data across EU borders).
Protect the perimeter
To thwart a cyber attack, the perimeter of an organisation’s network must be protected at all entry points, including servers, computers and employee devices. The following tools are essential to comprehensive protection:
- Firewalls and sophisticated unified threat management (UTM) devices
- File-level anti-virus
- Intrusion detection and prevention
- Deep packet inspection
- Port scanning and protocol inspection
- Perimeter anti-virus and malware blocking
As a managed services provider (MSP), we at IT Specialists (ITS) have noticed that financial services organisations often lack the internal IT resources required to keep firewalls up to date and provide the protection required. Our response to this challenge was to create a managed firewall service, BlackVault Guardian. Having an MSP assist in this area allows internal IT teams to spend less time managing equipment and system settings, which mitigates the odds of a firm being breached due to out-of-date network security tools.
Ensure recovery of systems and data
Considering the sensitive nature of the data financial services organisations handle, they must be able to recover their critical data after a cybersecurity incident – especially following a ransomware incident in which the data is held hostage for ransom. Paying the ransom should be avoided, as this approach only encourages criminals and there’s no guarantee they will grant access to the data after the ransom is paid.
Organisations often assume that data and systems stored in the cloud are automatically recoverable. That’s not necessarily true, however. The IT environment might indeed be accessible in the cloud, but depending on the solution, technical factors such as bandwidth limitations can make it impossible to recover data within the required time frames.
Any cloud vendor a firm works with should provide a service level agreement (SLA) that holds the service provider contractually responsible for restoring critical data and systems within a specified time to minimise effects on business operations.
Evaluate BYOD practices
Research shows security is sorely lacking for bring-your-own-device (BYOD) practices – a fact that’s concerning, considering that 95 per cent of UK organisations permit BYOD. To take control of corporate data and reduce the risk of insider threats, it’s imperative that financial organisations have a BYOD policy that addresses the following issues:
- Data security
- Remote management
- Data transfer
- Data wipe and technical support (office- or field-based).
Reviewing this policy with a third party, such as an IT managed services provider experienced in BYOD policy development, can help ensure the policy is comprehensive enough to mitigate risks unique to the organisation.
Financial services organisations are well aware of the need for cybersecurity to protect their data in the cloud. Unfortunately, the numbers reveal that awareness is not enough. Firms need to be proactive about ensuring the way they manage data fulfils compliance requirements, which will include implementing solutions to protect the perimeter, ensure recoverability of systems and data, and enforce security for BYOD.
By Matt Kingswood, Head, ITS UK