Banking and financial services collect and process huge amounts of sensitive data on a daily basis, making them prime targets for cybercrime and data loss. As a consequence, they are also some of the most heavily regulated organizations when it comes to data protection, with both international standards and national laws legislating the way financial information is collected, stored and processed.
In the US, laws like the Sarbanes-Oxley Act (SOX) and the Gramm-Leach-Bliley Act (GLBA) have been adopted before the widespread use of digital records to boost accountability and transparency in the collection and disclosure of customers’ personal financial information. In more recent years, the EU has revolutionized data protection through its General Data Protection Regulation (GDPR), which made organizations, including financial ones, directly accountable for the security of the sensitive data they collect. Internationally, all financial services that handle payment information from branded credit cards from major card schemes must comply with the Payment Card Industry Data Security Standard (PCI-DSS).
Banking and financial services face a tough challenge when it comes to data protection. They are not only on the front line of cyberattacks but are also the most likely to incur the wrath of data protection agencies the world over in case of breaches, risking both high fines and a loss of reputation that can severely impact their bottom lines.
Many banking and financial services, therefore, invest heavily in extensive data protection frameworks, implementing policies and technology solutions that help keep sensitive data secure. And while these can be effective, a lot of time and energy is spent on securing data against external threats while ignoring obvious internal vulnerabilities linked to business operations. Here are our top tips on how banking and financial services can mitigate them:
Always consider data on the move
Whether it’s employees working remotely or third party vendors that provide essential aspects of the financial services organizations offer, nowadays sensitive data is often on the move. This is a frequent blind spot in data security strategies with cybersecurity frameworks focusing on securing data on the company network while overlooking what happens once that data has left office premises.
It is therefore important that organizations implement data protection solutions that work even if a computer is no longer connected to the company network. This usually means that they need to be applied at the endpoint level rather than at the network level.
When it comes to third parties, companies must ensure that their vendors have adequate cybersecurity policies in place that will offer the same level of data protection for sensitive data they themselves do. This can be done by making data protection frameworks a mandatory requirement for all vendors.
Don’t ignore internal threats
With the biggest threat to sensitive data being considered malicious outsiders, insiders can often be overlooked as a source of risk although they are one of the major causes for data breaches. Whether it’s falling for phishing attacks, sending sensitive data via insecure channels or bypassing protection measures to facilitate their work, employees are at the heart of some of the world’s most notorious data breaches, including the now infamous Equifax data breach that exposed the records of nearly 146 million Americans.
An efficient way of mitigating the risk of internal threats is a combination of training and Data Loss Prevention (DLP) tools. It is important for companies to raise awareness about the dangers of data leaks and their financial and reputational consequences for the company. They also need to educate their employees about the best data protection practices and how they can stay clear of social engineering tactics.
DLP solutions can be used to leverage training efforts by applying effective data protection policies, ensuring sensitive data is not transferred through insecure channels or to unwanted third parties.
Always have a response plan
Many cybersecurity frameworks seek to protect data to make sure data breaches never happen. Applying the Center for Internet Security (CIS)’s 20 Critical Security Controls, a ground-breaking set of globally recognized best practice guidelines for securing IT systems and data, for example, can prevent as much as 97% of all data breaches. However, that still leaves a 3% chance.
When it comes to cybersecurity, unfortunately, there is no 100% foolproof strategy for ensuring data breaches do not happen. This is why companies must always be prepared in the eventuality, no matter how small, that a data breach might happen to them.
Under most of the new data protection laws, organizations also have an obligation to notify data protection agencies of any major data breaches, sometimes, like in the case of the GDPR, in as little as 72 hours. They also have to inform all those affected by the breach that their data has been compromised.
It is therefore essential for companies to put together an incident response plan and test it so that, in the event of a data breach, they can react efficiently, have notification procedures in place and can quickly recover in its aftermath.