Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

GDPR demands increased control over digital assets

By Fabian Libeau, EMEA VP at RiskIQ

Ahead of the enforcement of EU General Data Protection Regulation (GDPR), businesses across Europe are having to make changes to how they solicit, handle and secure personal data. Stakes are high, as non-compliance can result in severe penalties, not to mention the impact on brand reputation and customer satisfaction. I’d like to look at how an organisation’s exposure on the Internet further complicates this already complex challenge.

Fabian Libeau
Fabian Libeau

Security and compliance outside the firewall
Financial services organisations are increasingly embracing digital to better serve their customers and remain competitive. What started as a web presence has now branched out to include company developed mobile apps and social media accounts across different social media platforms. While these digital assets offer consumers a range of touch points though which to engage, they also result in an expanding digital footprint that is difficult to secure and make compliant.

Looking specifically at data capture, compliance with EU GDPR requires organisations to offer individuals a clear and active opt-in before collecting any Personally Identifiable Information (PII). All information should be collected and transmitted in a secure manner.

GDPR also requires the reporting of data breaches within 72 hours of an incident. As such, working to pro-actively mitigate data breaches will be critical. This will require a hard look at an organisations digital footprint, not least because cybercriminals are increasingly targeting digital assets that exist outside of traditional firewalls across web, social and mobile. Indeed, Verizon research1 found that the majority of data breaches (75 percent) can currently be traced to external threats.

Since financial services organisations are increasingly embracing digital to better serve their customers and remain competitive – such as with mobile banking apps – it will be critical to have a clear overview of all their digital assets. In fact, effective GDPR compliance will be hard without maintaining internal asset inventories that detail the exact location, accessibility, patch level, and ownership of assets both within and outside the firewall. All login pages, data entry forms and persistent cookies used across an organisation’s sites, whether they were developed in-house or outsourced by marketing or a business unit, will have to be reviewed for compliance.

The stakes are especially high for financial services organisations, as they not only handle data that is PII – such as a username, phone number, address, social media presence, photos, location data and even IP addresses – but is also high in economic value.

There is already an upsurge in phishing attacks that use the branding of organisations to scam their customers into channelling their money, or other forms of valuable data. In recent weeks, there has been warnings of phishing campaigns urging consumers to update their personal information ahead of the GDPR implementation. TSB also issued warnings to customers about hackers using phishing tactics in the midst of its IT meltdown. This illustrates the sophistication of cybercriminals as they re-invent their tactics to scam customers.

Importance of digital threat management
To ensure GDPR compliance, and to safeguard brand reputation and customer satisfaction, financial services organisations need to have a complete view of the digital assets they own, as well as how the attacker sees them. By continuously monitoring their web, mobile and social assets, companies will be able to weed out the threats and effectively reduce their digital risk exposure. This means automatically flagging assets that capture and process PII to the internal security team, including sites and accounts set up by malicious actors using the brand as a lure, such as with fake ads. In addition, it means discovering and responding to attacks or fraudulent activity related to said assets already at the planning stage – before any data is compromised.

In summary
Targeted attacks against financial services organisations are increasing exponentially, with hackers, organised cyber-crime groups and nation states continuously deploying attack infrastructure to launch phishing attacks, domain threats, brand abuse, social, mobile, and malware based cyber-attacks. Security and compliance teams within the sector therefore need to focus on increasing their organisation’s security and compliance posture across their entire digital presence to reduce cyber risk.

1 https://www.verizondigitalmedia.com/blog/2017/07/2017-verizon-data-breach-investigations-report/