By Mark Edge, Country Manager UK & VP Sales, Brainloop January 2015
In early 2014, Barclays Bank suffered a data leakage which saw the personal details of an estimated 27,000 customers exposed. Confidential customer data including passport details and national insurance numbers were leaked as well as money and health information.
In an ever-increasing digital landscape, the way organisations, especially banks and financial institutions, handle data is a top priority. Organisations need to protect themselves from both insider and outsider threats.
As well as a loss in customer confidence, the leakage of data can be financially costly for banks. The Information Commissioner’s Office, which is the data privacy watchdog within the UK, can impose fines of up to £500,000 for serious breaches. Banks are also subject to an unlimited fine from The Financial Conduct Authority if they are found to have breached the rules.
Research carried out at the end of last year showed that all organisations are being targeted by a growing number of sustained, sophisticated spear phishing campaigns. It was revealed that there was a 62 percent rise in the victims of such attacks in the last year. Employees can unwittingly interact with these emails and as a result, data can be leaked.
Both intentional and unintentional actions by employess have left businesses concerned. Thirty-seven percent of respondents at Infosecurity Europe 2014 said rogue employess are the biggest threat to security. That is a higher figure than those who believe cyber attacks are the main concern.
But what measures can banks and financial institutions put in place to reinforce their data security regimes and make them more resilient? Here are five key points that organisations within the sector should bear in mind when examining their data security model:
- It’s more than compliance
Compliance with legislative and regulatory requirements and internal company policies is mandatory in today’s financial organisations. Failures can lead to significant career and financial penalties. But compliance with legislation and policies designed to improve security may not be sufficient if the policies are not kept up to date to address growing cyber threats. Organisations should regularly review compliance requirements to make sure they are current.
- Protecting data is key
Infrastructure is both highly flexible and increasingly vulnerable in the age of BYOD (Bring Your Own Device). Mobility and cloud services bring many more ways to access data and the infrastructure on which it resides, thereby increasing the risk profile considerably. With data and information at the core of invasion risk from such challenges as the Advanced Persistent Threat, financial organisations need to concentrate on protecting data itself, as well as the infrastructure.
Sensitive and secure data is constantly at stake. Financial institutions need to implement a file sharing and collaboration tools with a user interface that is highly functional, intuitive and easy to learn. They should provide utmost control in managing sensitive data for insiders and collaborating organisations. The implementation of data classification standards should also be considered to improve the protection of sensitive information.
- Security knows no boundaries
Knowledge workers are everywhere. Their eyes and ears can provide a high degree of security protection. Financial organisations must ensure knowledge workers are aware of current threats and are able to recognise risky situations quickly.
End-users are also partners and providers, particularly in the emerging era of cloud computing. Provider shielding is a necessity to ensure the provider cannot access the customer data. A provider can still add value in helping clients to build a private cloud without being privy to its content.
- Focus on what’s important
While the expression was coined by Frederick the Great of Prussia, it is still relevant in a data security context where leadership needs to think effectively about what needs the most protection. The initial focus should be on highest risk areas with action being taken there first instead of trying to safeguard everything. This is a key requirement for risk-driven approaches to security and data protection policies. Such areas might include board and committee communications, M&A related data, market data, patents and designs, contractual data and anything considered as the IP of the organisation, such as research.
External stakeholders pose risk, but internal stakeholders can pose an even greater danger. Organisations should focus on areas such as access and privacy controls and instill security policy and compliance from the inside out. If they guard with targeted precision, their protection will be stronger.
- Keep it simple
As Einstein said: “Things should be made as simple as possible, but not any simpler.” Security should be as simple and user friendly as possible, but still adequate to meet the needs of the organisation.
To ensure compliance and improve security, security training and qualification should be easy-to- execute. The quality of training is essential as employees will frequently fail to read a security policy or not have the time to do so. Some leading organisations are using gaming technology in their security training to help engage staff members with security policies and practices.
Security product and service firms are also starting to focus on effective interfaces and performance levels in their designs. Financial organisations should select the best systems and services to enable their policies. In some cases, it could be as easy to be secure as it is to send a file. All it takes is one click.