Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Top Stories

HOW CAN THE FINANCIAL SECTOR TAKE CONTROL OF ITS DATA IN TIME FOR THE GDPR?

HOW CAN THE FINANCIAL SECTOR TAKE CONTROL OF ITS DATA IN TIME FOR THE GDPR?

By Matt Lock, Director of Sales Engineers (UK) at Varonis 

Over the last year, much of the discussion on the EU General Data Protection Regulation (GDPR) has been about the huge fines that can be levied against firms that fail to protect the personal data they are entrusted with: up to €20m, or 4% of annual global turnover. However, the new regulation’s real focus is not simply punishing negligent companies; Elizabeth Denham, the UK Information Commissioner, stated last year that large fines are a matter of last resort in most cases. Instead, the aim of the GDPR – which goes into effect on May 25th – is to change the way companies think about, manage, and protect their data.

Matt Lock

Matt Lock

The new regulation is overdue. Many companies don’t have control of the data they hold, with some having little knowledge of where their most sensitive data is stored or who can access it. In 2017, Varonis analysed hundreds of corporate IT systems and found that almost half of the companies examined had at least 1,000 sensitive files open to every employee. This is exactly what the GDPR is designed to prevent: requiring companies to implement security programs that protect data and enforcing the rules through regulatory warnings, audits, and, if necessary, fines.

This is an issue for any organisation that routinely deals with the data of EU citizens, but banking and financial sector companies are particularly at risk because of the large amounts of personal and highly sensitive data they store as a matter of course.

What are the risks of poor data control?

A crucial principle of the GDPR is data minimisation: organisations should limit consumer data collection and continue to store data for which there’s a real business need. This new approach is in stark contrast to the current data culture, which has seen the majority of organisations spending the last couple of decades steadily collecting and storing as much data as possible, with few ever deleting anything.

Aside from landing a company at legal risk with the regulatory bodies if poor practices are discovered, the personally identifiable information (PII) or “personal data” as it’s referred to in the GDPR held by financial organisations is, of course, highly sought after by cyber criminals. PII is often easily monetizable, or can also be used as a spring board to social engineering attacks, or if need be sold to other criminals for through the dark web.

Leaving PII and other sensitive data collected in a disorganised, unmanaged way creates a number of major security risks because anyone with access to the network will have free reign to access all of these sensitive files. If an attacker breaches the network, they often can spend weeks and even months steadily harvesting information without attracting any notice.

Uncontrolled data can also be easily stolen without the criminal even needing to penetrate the network. Having data open to a large amount of users, and with no visibility over access, means there are more targets for clever phishing emails aiming to trick users into exfiltrating the data. The proliferation of ransomware-as-a-service also makes it easy for criminals to purchase exploits to hold an organisation’s data hostage, and will work even faster on disorganised, unprotected data.

How can organisations get their data under control? 

It’s important to note that the GDPR is not designed to punish a company purely because it has suffered a data breach. Rather, it is more concerned with whether the company had sufficient protection in place before the incident, and followed best practice in investigating and alerting potential victims after the fact. 

Organisations are waking up to that fact that total security assurance is impossible – they cannot protect against every attack.They should be prepared for a security breach by equipping themselves with the ability to detect malicious activity by analysing data access – much like a credit card company monitors purchase activity for unusual signs that point to fraud. To achieve this, it’s vital that they can monitor file access and user behaviour. 

There also need to be solid processes in place to prevent valuable and sensitive information making its way from highly secure systems like databases onto file servers where data is often open to everyone and no one is watching what’s being accessed.  

The first step for any organisation should be to examine its security policies and, in particular, they absolutely need to maintain a least privilege model, where sensitive files can only be accessed by the bare minimum of users required. Locking down access to data and segmenting networks will also help to limit the damage of malware such as ransomware and worms that spread through the environment. These kinds of attacks will be able to spread far more quickly in systems where there is unrestricted access.

Priorities for meeting the GDPR

A common failing is for a company to invest in measures such as antivirus and firewalls, and assume they will be protected. For a financial organisation with a network full of personal and financial data, this is akin to investing in a state-of-the-art safe, but making no effort to check the contents, or even that the door has been closed.

Organisations need to question every layer of their defence and consider what could happen at every stage if the system or a user account is compromised. What data could be accessed, what could be lost or stolen, and how quickly would they be able to detect that something has happened? Basic controls, continuous monitoring, and data analytics are critical to answering these questions. 

Enterprises that still lack understanding about where their sensitive data is stored or how it is accessed should start by deploying automated data classification tools which can flag sensitive folders and list access. Armed with this knowledge, the company will be able to put in place systems and policies to organise and control access to data that should be restricted.

An essential part of meeting the demands of the GDPR is for a company to prove that it undertook best practice to prevent and limit potential data breaches. Even if a major incident does occur, a company that can demonstrate it has its data under control will be in a much stronger position.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post