Data Security Essentials for Banks and Financial Institutions

By Thomas Fischer, threat researcher and global security advocate at Digital Guardian

Thomas Fischer

Cyber crime is big business; it’s now the second most reported crime globally according to PwC. When it comes to stealing data, some verticals are more desirable to cyber criminals than others, and financial services – with its host of confidential customer information– tops that list. Getting cyber security right is integral to longevity. Just one big breach could have a detrimental impact on reputation and with the increasing amount of wide-scale data breaches occurring, consumers are more aware than ever of the amount of sensitive data these institutions hold.

With such high stakes, financial services firms need to get data security right. Below are the top data security essentials for keeping confidential information out of the wrong hands:

Conduct a risk assessment

With the GDPR coming into play in less than twelve months, you need to perform a thorough review – if you haven’t already – of your environment. It’s important to identify gaps where confidential data, including information contained on mobile devices, could be at risk. You don’t have to conduct this risk assessment yourself. There are a number of services available that can quickly help you understand where sensitive data lives and how it is being used.

Think beyond the network

Most financial organisations’ security starts and ends “on the network.” Why? Because it’s easier. Racking a security device on the network causes very little organisational friction. Yet IT teams then spend almost every day purposely punching holes in the network. VPNs are a common example; their widespread use makes them popular targets for attackers due to the high number of potential entry points and often lax attitude towards security from users.

These inevitable holes mean the network will always be vulnerable to attackers. Added to this, is the fact that many employees operate in a mobile environment and demand access to business information on their phones and tablets – devices that traditional network security measures can’t protect. A layered approach to security is becoming increasingly important for companies, with device-focused technologies such as mobile device management (MDM) playing a big role.

Focus on protecting data

The proliferation of the cloud has made the traditional network perimeter obsolete.Focusing on technologies that aim to protect the perimeter simply isn’t enough anymore, because data regularly moves beyond it.

Several proven data protection solutions on the market ensure security travels with the data. Called data loss prevention (DLP), these solutions help classify data, put a usage policy against it and strictly enforce it. DLP is a must-have for any company wanting to protect sensitive customer and business data.

By making it fractionally harder to steal sensitive information, or render data useless once outside the network, attackers will move to another company that presents an easier target. As data remains the target and its attack surface continues to grow, protecting that data must be at the core of every company’s security approach.

Investigate the benefits of outsourcing

A way around the challenges associated with implementing advanced data protection strategies is to outsource to a managed security provider. Many of these companies have deep DLP expertise and proven infrastructure, meaning that you can concentrate on your business while they keep your data secure. If your IT team is already stretched, this approach gives you the comfort of knowing that customer data is being protected without taking valuable staff time. This will also help you meet the various standards demanded by customers, banks, and other security-sensitive organisations.

Train and re-train your employees regularly

Employee security awareness is a critical step to protect customer data. The key to effective employee security training is to go beyond the annual refresher that no one takes notice of. Innovative companies are using technologies to help employees self-correct any risky data habits, such as using real-time, pop-up prompts that give employees a reminder of what corporate policy is, and how they can adhere to it.

Regulators, customers and business partners will increasingly demand that companies show proof of security and monitoring to protect sensitive data. The security of the information supply chain is gaining traction within IT security circles and companies are realising that the weakest link in their security posture may not be within their own walls, but rather inside the walls of those they choose to do business with.

These essentials form the foundations of effective data security for the financial sector. Avoiding breaches and keeping data secure is essential to maintaining the trust of customers, circumventing reputational and financial damage, and keeping in line with regulatory requirements.

By Thomas Fischer, threat researcher and global security advocate at Digital Guardian

Thomas Fischer

Cyber crime is big business; it’s now the second most reported crime globally according to PwC. When it comes to stealing data, some verticals are more desirable to cyber criminals than others, and financial services – with its host of confidential customer information– tops that list. Getting cyber security right is integral to longevity. Just one big breach could have a detrimental impact on reputation and with the increasing amount of wide-scale data breaches occurring, consumers are more aware than ever of the amount of sensitive data these institutions hold.

With such high stakes, financial services firms need to get data security right. Below are the top data security essentials for keeping confidential information out of the wrong hands:

Conduct a risk assessment

With the GDPR coming into play in less than twelve months, you need to perform a thorough review – if you haven’t already – of your environment. It’s important to identify gaps where confidential data, including information contained on mobile devices, could be at risk. You don’t have to conduct this risk assessment yourself. There are a number of services available that can quickly help you understand where sensitive data lives and how it is being used.

Think beyond the network

Most financial organisations’ security starts and ends “on the network.” Why? Because it’s easier. Racking a security device on the network causes very little organisational friction. Yet IT teams then spend almost every day purposely punching holes in the network. VPNs are a common example; their widespread use makes them popular targets for attackers due to the high number of potential entry points and often lax attitude towards security from users.

These inevitable holes mean the network will always be vulnerable to attackers. Added to this, is the fact that many employees operate in a mobile environment and demand access to business information on their phones and tablets – devices that traditional network security measures can’t protect. A layered approach to security is becoming increasingly important for companies, with device-focused technologies such as mobile device management (MDM) playing a big role.

Focus on protecting data

The proliferation of the cloud has made the traditional network perimeter obsolete.Focusing on technologies that aim to protect the perimeter simply isn’t enough anymore, because data regularly moves beyond it.

Several proven data protection solutions on the market ensure security travels with the data. Called data loss prevention (DLP), these solutions help classify data, put a usage policy against it and strictly enforce it. DLP is a must-have for any company wanting to protect sensitive customer and business data.

By making it fractionally harder to steal sensitive information, or render data useless once outside the network, attackers will move to another company that presents an easier target. As data remains the target and its attack surface continues to grow, protecting that data must be at the core of every company’s security approach.

Investigate the benefits of outsourcing

A way around the challenges associated with implementing advanced data protection strategies is to outsource to a managed security provider. Many of these companies have deep DLP expertise and proven infrastructure, meaning that you can concentrate on your business while they keep your data secure. If your IT team is already stretched, this approach gives you the comfort of knowing that customer data is being protected without taking valuable staff time. This will also help you meet the various standards demanded by customers, banks, and other security-sensitive organisations.

Train and re-train your employees regularly

Employee security awareness is a critical step to protect customer data. The key to effective employee security training is to go beyond the annual refresher that no one takes notice of. Innovative companies are using technologies to help employees self-correct any risky data habits, such as using real-time, pop-up prompts that give employees a reminder of what corporate policy is, and how they can adhere to it.

Regulators, customers and business partners will increasingly demand that companies show proof of security and monitoring to protect sensitive data. The security of the information supply chain is gaining traction within IT security circles and companies are realising that the weakest link in their security posture may not be within their own walls, but rather inside the walls of those they choose to do business with.

These essentials form the foundations of effective data security for the financial sector. Avoiding breaches and keeping data secure is essential to maintaining the trust of customers, circumventing reputational and financial damage, and keeping in line with regulatory requirements.