By Fabian Libeau, EMEA VP at RiskIQ
Ahead of the enforcement of EU General Data Protection Regulation (GDPR), businesses across Europe are having to make changes to how they solicit, handle and secure personal data. Stakes are high, as non-compliance can result in severe penalties, not to mention the impact on brand reputation and customer satisfaction. I’d like to look at how an organisation’s exposure on the Internet further complicates this already complex challenge.
Security and compliance outside the firewall
Financial services organisations are increasingly embracing digital to better serve their customers and remain competitive. What started as a web presence has now branched out to include company developed mobile apps and social media accounts across different social media platforms. While these digital assets offer consumers a range of touch points though which to engage, they also result in an expanding digital footprint that is difficult to secure and make compliant.
Looking specifically at data capture, compliance with EU GDPR requires organisations to offer individuals a clear and active opt-in before collecting any Personally Identifiable Information (PII). All information should be collected and transmitted in a secure manner.
GDPR also requires the reporting of data breaches within 72 hours of an incident. As such, working to pro-actively mitigate data breaches will be critical. This will require a hard look at an organisations digital footprint, not least because cybercriminals are increasingly targeting digital assets that exist outside of traditional firewalls across web, social and mobile. Indeed, Verizon research1 found that the majority of data breaches (75 percent) can currently be traced to external threats.
Since financial services organisations are increasingly embracing digital to better serve their customers and remain competitive – such as with mobile banking apps – it will be critical to have a clear overview of all their digital assets. In fact, effective GDPR compliance will be hard without maintaining internal asset inventories that detail the exact location, accessibility, patch level, and ownership of assets both within and outside the firewall. All login pages, data entry forms and persistent cookies used across an organisation’s sites, whether they were developed in-house or outsourced by marketing or a business unit, will have to be reviewed for compliance.
The stakes are especially high for financial services organisations, as they not only handle data that is PII – such as a username, phone number, address, social media presence, photos, location data and even IP addresses – but is also high in economic value.
There is already an upsurge in phishing attacks that use the branding of organisations to scam their customers into channelling their money, or other forms of valuable data. In recent weeks, there has been warnings of phishing campaigns urging consumers to update their personal information ahead of the GDPR implementation. TSB also issued warnings to customers about hackers using phishing tactics in the midst of its IT meltdown. This illustrates the sophistication of cybercriminals as they re-invent their tactics to scam customers.
Importance of digital threat management
To ensure GDPR compliance, and to safeguard brand reputation and customer satisfaction, financial services organisations need to have a complete view of the digital assets they own, as well as how the attacker sees them. By continuously monitoring their web, mobile and social assets, companies will be able to weed out the threats and effectively reduce their digital risk exposure. This means automatically flagging assets that capture and process PII to the internal security team, including sites and accounts set up by malicious actors using the brand as a lure, such as with fake ads. In addition, it means discovering and responding to attacks or fraudulent activity related to said assets already at the planning stage – before any data is compromised.
Targeted attacks against financial services organisations are increasing exponentially, with hackers, organised cyber-crime groups and nation states continuously deploying attack infrastructure to launch phishing attacks, domain threats, brand abuse, social, mobile, and malware based cyber-attacks. Security and compliance teams within the sector therefore need to focus on increasing their organisation’s security and compliance posture across their entire digital presence to reduce cyber risk.