In recent years, the financial services industry has been shaken by a string of public cyber attacks targeting high-street names such as Tesco Bank, Equifax and Lloyds.
With financial data being one of the most sought after and most frequently targeted data types, it’s perhaps not surprising that attackers sometimes succeed in breaching these businesses. What is surprising is the huge number of financial data breaches that don’t make it to the headlines. The problem seems to be getting worse. In fact, a Freedom of Information (FOI) request found that the number of data breaches reported by UK financial services firms to the Information Commissioner’s Office increased by almost a quarter in the year to March 2017. These 140 data breaches included both cyber attacks and accidental leaks.
In addition to targeting banks and large financial services firms, cyber attackers are also casting their nets more broadly, to target firms including insurers and financial advisers – both of which saw big jumps in the number of reported breaches according to the ICO FOI request. Today, no financial services firm can underestimate the importance of a strong security posture and approach to data protection. But many don’t know where to begin. A survey by consultancy Capgemini found that only one in every five banks and insurers are actually confident that they could detect a cyber security breach. The same study found that 71% did not have a balanced security strategy or strong data privacy practices.
In order to adequately protect data from cybercriminals, financial organisations and their partners must implement comprehensive security measures to protect customer data from the increasing volume and growing variety of threats. These best practices for cybersecurity aim to keep pace with evolving threats, addressing risks to privacy and data protection on endpoints and in the cloud, and protecting data whilst it’s in transit, at rest, and in use. Here’s how they can do it:
Improve employee awareness
The human element remains one of the biggest threats to security across all industries, and this is particularly true in financial services. Simple human error or negligence can produce disastrous and expensive consequences for these organisations. Security awareness training equips employees with the knowledge necessary to make smart decisions and use appropriate caution when handling financial or customer data.
Implement access controls for apps and data
Implementing access controls reinforces data protection by restricting access to sensitive information and certain applications to only those users who require access to perform their jobs. Access restrictions enforce user authentication, ensuring that only authorised users have access to protected data. Multi-factor authentication, which requires users to validate their identity through two or more validation methods, is a highly recommended approach.
Add additional data usage controls
Data controls go beyond the benefits of access controls and monitoring, by ensuring that risky or malicious data activity can be flagged and blocked in real time. Financial services organisations can use data controls to block specific actions involving sensitive data such as web uploads, unauthorised email sends, copying to external drives, or printing. Data discovery and classification plays an important supporting role in this process by ensuring that sensitive data can be identified and tagged to receive the proper level of protection.
Monitor data usage
Logging all access and usage data is also crucial. Organisations should be able to monitor which users are accessing what information, applications, and other resources, when they are being accessed, and from what devices and locations. These logs are also useful for auditing purposes: by identifying areas of concern and helping organisations understand where to strengthen protective measures when necessary. When an incident occurs, an audit trail can help to pinpoint precise entry points, determine the cause, and evaluate damages.
Encrypt all data
Encryption is one of the most useful data protection methods for financial services organisations. If data is encrypted in transit and at rest, it becomes more difficult (almost impossible) for attackers to decipher sensitive information – even if they manage to gain access to the data. Furthermore, the General Data Protection Regulation states that all organisations will need to implement appropriate technical and organisational measures to protect data, including pseudonymisation and encryption.
Secure employee devices
Increasingly, financial services providers allow employees to use mobile devices to access information from remote locations. There are many enterprise mobile management best practices organisations should consider implementing to secure network devices, including: maintaining security settings and configurations, enabling remote lock and wipe, and enforcing multi factor authentication wherever possible.
Secure IoT devices
Mobile devices have traditionally been the primary area of concern, yet with the rise of the Internet of Things (IoT), many new types of vulnerable connected devices are appearing. In financial services, things like CCTV cameras and smart light bulbs might now be connected to the main network. Some tips for maintaining adequate IoT security include:
Maintain IoT devices on their own separate network
Continuously monitor IoT device networks to identify sudden changes in activity levels that may indicate a breach
Disable non-essential services on devices before using them, or remove non-essential services entirely before use
Use strong, multi-factor authentication whenever possible
Keep all connected devices up-to-date to ensure that all available patches are implemented
Conduct regular risk assessments
While audit trails help to identify valuable details of an incident after it occurs, proactive prevention is equally important. Risk assessments can identify vulnerabilities in the network, shortcomings in employee education, inadequacies in the security posture of vendors and business partners, and other areas of concern. By evaluating risk across the organisation periodically, financial services companies and their partners can prevent breaches and avoid the many other detrimental impacts of a breach – from reputation damage to penalties issued by regulatory bodies.
Opt for off-site data backup
Cyber attacks can expose sensitive information, but they can also compromise data integrity or availability. Natural disasters can also lead to major issues if data isn’t properly backed up. That’s why frequent off-site data backups are recommended, with strict controls for data encryption, access, and adherence to other best practices to ensure that backups are secured. Off-site data backups are also an essential component of disaster recovery.
Scrutinise third parties and partners
Because financial information is commonly transmitted between providers, a thorough evaluation of all potential business partners is one of the most crucial security measures organisations can take. It is key to understand where and how partners are using data and where they are accessing it. This means putting in place a consistent data protection policy and other controls to ensure that data is shared in a secure manner.
Taking such a comprehensive approach to security can seem exhausting, but when sensitive and valuable customer or financial data is at risk, additional measures are essential to ensure protection. Financial organisations that take data protection seriously should act now; reviewing and assessing their data security policies and technologies in order to meet the GDPR and other regulatory initiatives, and keep data out of the wrong hands.