Dr Guy Bunker, SVP of Products at data security company, Clearswift, talks to Global Banking and Finance Review about the top threats to the financial sector, GDPR and emerging technologies.
Tell us a little bit about Clearswift and its service offerings
GB: Clearswift has been in information security for 20 years and are experts in Deep Content Inspection and Adaptive Data Loss Prevention (A-DLP). We have a number of gateway products, which are installed between the organisation and the Internet, protecting email and web traffic. The gateways can be installed on-premise or in the cloud. While many of our customers manage their own installations, we are seeing an increase in customers who want our managed service, particularly those who have moved or are moving to Office 365 and realise they need better security.
What do you see as the top cybersecurity threats to the financial sector?
GB: Our research into top threats reveals that 50% of financial organisations see phishing emails as the biggest threat to their business. This hasn’t really changed, it is still information theft leading to fraud, denial of service and data loss. Of course, the attacks themselves are becoming increasingly sophisticated and can operate in a secondary or tertiary manner through third-party suppliers. Ransomware remains a big issue, with phishing being the easiest route in, having malware payloads embedded in innocuous looking documents.
The advent of GDPR will probably see an increase in ‘hactivists’ who will look at weaponising the regulation. This, in essence, means that people steal and expose critical information so as to generate fines for companies and/or grind businesses to a halt with spurious requests, as opposed to stealing information for ‘personal’ gain like a traditional cyber-attacker would.
What are your top tips for financial institutions to follow should they suffer a data breach?
GB: Communication and facts are key. Organisations should have a data breach plan, and should test it on a regular basis, so when an incident occurs the team dealing with the breach know what they should be doing. Getting the facts right, about what happened and who is impacted, is fundamental. We saw with the TalkTalk incident where the ‘facts’ kept changing, how that increased the reputational damage to the organisation. Within the communication plan, regular communications are required – even if there is no new news. Just informing people of what is happening ‘behind the scenes’ helps build confidence and limits reputational damage. Communications will have to be tailored to the various stakeholders – whether it is the ICO, customers, staff, suppliers, consultants or shareholders.
What impact can a data breach have on financial institutions? Is there one particular impact that should be considered more than others?
GB: Reputation is critical. People have to trust the organisation in order to put their money or financial decisions with them. A data breach will significantly impact the reputation of the company – notonly will existing clients reconsider whether to stay, but new customers will be put off from becoming a client. Within the finance industry, there is a considerable choice and in the internet age, the competition is only a click away.
GDPR is now in full effect, what do you see as the financial sector’s biggest compliance issue?
GB: Finance has always been heavily regulated, so GDPR has had less impact on policies and processes than in other sectors. However, the fines associated with failure to comply – which is based on global turnover – could be crippling. Outside of this, ensuring compliance with the consent aspects of the regulation is key. Being able to keep in touch with old customers as well as being able to market to prospects will suffer if consent is not approved. Other pieces of the regulation, such as ‘right to be forgotten’ and data portability should all have written processes around them, so people know what to do, or who to contact should a request be received.
With so many employees in banking and finance handling personal information on a daily basis, what is your advice for ensuring this does not lead to non-compliance?
GB: Compliance has always been a big issue in the finance sector, the introduction of GDPR makes a few changes, but the issues over privacy and information protection are still very much the same. Clearswift’s recent research revealed that 45% of employees have accidentally shared emails containing sensitive information so care really does need to be taken around the new ‘shared responsibility’ aspects of GDPR – especially where third-party data processors are used as well as any other suppliers or consultants who have access to the data. Ensuring that all parties who have access to critical information have adequate data protection is essential. The same is true for any data which is shared within the organisation.
Fortunately, we all, as individuals, need to trust other organisations with our personal data, so instilling the need to protect it ‘as if it was your own’ is a good approach to take. Education on information protection and GDPR needs to run from the CEO to the cleaner as well as to all suppliers and customers.
Good compliance is about people, processes and technology. Technology needs to be considered to cover any gaps in compliance, to efficiently enforce policies and processes and ultimately to keep people (both employees and customers) safe.
Last year, it was reported that bank data breaches are mostly caused by insiders. How can financial institutions prevent this from happening?
GB: Insiders have two variants, one is malicious, the others are those who make a mistake. Making mistakes, such as sending critical information to the wrong (unauthorised) person is more prevalent than the malicious insider – but the impact is the same, information will have fallen into the wrong hands. The technology to detect and protect is the same for both the malicious exfiltration and inadvertent mistakes. A defence-in-depth strategy should be applied as good practice. Network analysis and behavioural analytics are nice-to-have solutions, but a Data Loss Prevention (DLP) solution which covers both email and web (cloud) and should also cover removable media, e.g. USB stick. DLP has moved on from the traditional ‘stop and block’ approach to encompass new technologies such as Adaptive Redaction, where content which breaks policy is automatically removed as it crosses the organisation boundary – but the rest remains. Continuous communication, which is vital to the success of financial services, is therefore achieved while information is kept secure.
How do you think the introduction of new technologies into the sector, such as the automation of processes or the implementation of blockchain, will affect the risk of a data breach in financial institutions?
GB: Automation in theory removes human error, but it can introduce new threat vectors which in turn create risk. Systems operate within boundaries and, whereas people are good at spotting anomalies, systems are only just starting to be able to do this. Cyber attackers are trained to find weaknesses in all types of systems, finding and exploiting vulnerabilities and the more connected the process chain, the more opportunities there will be.
Blockchain appears to offer some transaction integrity at present but there will no doubt be a compromise which will make people rethink its use and application. It is not a silver bullet.
The use of apps for banking and investing is proving to be a growing area and offers opportunities for smaller organisations to make their mark. However, this is another area where there is increased opportunity for fraud and so the client needs further protection. There is always a trade-off between security and usability, the challenge is to know where to draw the line, protecting the client and their assets while enabling more flexibility and opportunity.