By John Michael, CEO, iStorage looks at the challenges around data storage and security for financial services organisations and discusses the tactics that can help them mitigate risk.

Financial services organisations collect and process a vast amount of data. Gartner defines this big data as being high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing[1]. The data that financial services businesses process is primarily highly sensitive, including bank account details and other personally identifiable information (PII) that is subject to regulatory compliance, such as the GDPR in the European Union. And, such sensitive information, gathered together in considerable quantities, needs to be protected.

A report into the future of cloud in relation to banking[2] found that the majority of retail and commercial banks aim to triple their use of cloud services by 2025. Migrating client-facing applications, and  crucially their data to the cloud will enable them to take advantage of greater storage capacities, the streamlining of processes and a move away from legacy software and systems. Yet, keeping data secure in the cloud can be more challenging than it seems. So, what measures should financial services organisations be taking to ensure the highest levels of data security while still enabling them to benefit from all that the cloud has to offer?

Encrypting information to remove risk

State-of-the-art encryption could help to eliminate the risk of a data breach, saving a business from hefty fines in relation to the GDPR. Yet worryingly, recent figures suggest that as much as 82% of the databases in the public cloud are not currently encrypted[3]. While cloud providers do offer encryption to customers, the only information required to access their valuable data is a username and password. It therefore falls to financial services organisations to take matters into their own hands. To ensure data privacy when faced with common threats, such as those employed by hackers, data should be encrypted before it is sent to the cloud, both in transit and at rest.

For ultra-secure encryption, data should preferably be encrypted with a FIPS certified randomly generated AES 256-bit encrypted encryption key, providing the highest levels of security and protection. And, to be truly secure, the user needs to retain full control of the encryption key, ensuring that it is stored in the most secure way possible, separately to their data. Taking this approach means that even if the cloud account is targeted and hacked, and the data falls into the wrong hands, it cannot be decrypted and accessed. Encryption of data and the separate secure storage of the encryption key increases the level of security from just one factor, the cloud account login, to as much as five-factor authentication.

Secure sharing with stakeholders

In the financial services sector, highly sensitive information is regularly shared between branches and offices as well as with third party organisations, so it is essential that the same high standards of security are upheld. The sharing of data in the cloud allows for instant collaboration, so businesses should ensure that this data is encrypted, and then provide authorised users with a copy of the encrypted encryption key to access the files. This will keep them highly secure, requiring all who access the data, whether they work remotely or for a third party, to follow a multi-factor authentication security procedure.

An example in which unsecure third-party access caused major issues comes from a 2020 incident in which a South African bank suffered a data breach, effectively putting at risk the data of 1.7 million customers. The data included names, ID numbers, home addresses, phone numbers, and email details. In this example the bank’s own network remained secure, but the breach concerned the premises of a third-party business who had been entrusted with customer data for marketing purposes. Here, encrypted data with an encrypted encryption key stored separately could have prevented the incident altogether.

Central management for a holistic view

Controlling access is a major factor in mitigating the risks associated with human error, such as the loss of an encryption key, or a staff member leaving an organisation and keeping a key. Through centralised management, those responsible for cloud and data security in the organisation will be able to monitor and control file access, set geo-fencing and time fencing restrictions, encrypt file names and disable users’ access to data remotely. This will go a long way to further eliminating security risks.

As financial services organisations continue to collect increasingly more data, the cloud can be a viable solution to the processing, storage and sharing of confidential information. But the cloud will only be useful in this regard as long as security measures can be enforced. High-quality encryption and effective centralised control of access to sensitive information must be in place in order to avoid data breaches while retaining high levels of customer trust. This will ultimately provide the financial services industry with the peace of mind that comes from having safer data.

Learn more about managing, sharing and encrypting data in the cloud:
https://istorage-uk.com/product/cloudashur/

About Author:

After constantly reading about increasing data loss incidents, iStorage CEO and Founder, John Michael saw this was clearly a growing problem with damaging consequences and identified a huge gap in the market to establish a business offering ultra-secure, easy-to-use and affordable data storage devices. Applying his 35 years’ worth of knowledge and experience within the data storage space enabled John to come up with ideas for products that would resolve such problems.

[1] https://www.gartner.com/en/information-technology/glossary/big-data

[2] https://turtl.publicissapient.com/story/the-cloud-banking-report/page/1

[3] https://www.cioinsight.com/security/most-databases-in-the-cloud-are-not-encrypted/