By Paul Hampton, Payment & Crypto management expert at SafeNet
Over the past few years, data breaches have increased in frequency and size, making the need to protect sensitive information a top priority for businesses worldwide. According to the latest Breach Level Index report, there have been more than a thousand worldwide data breaches so far this year that compromised nearly 563 million data records of customers’ personal and financial information.
Big names targeted and exposed in the last 12 months not only include Ebay, Adobe, Tesco and Morrisons, but also reputable financial institutions such as the European Central Bank, JP Morgan Chase and HSBC.
Time and time again, attacks against banks have shown that breach prevention and threat monitoring alone will not keep the cyber criminals out. Being breached is no longer a question of “if” but “when”. So what can banks and other financial institutions do to protect themselves and guarantee the protection of data as it is used?
With the latest reports showing that the financial services industry accounts for more than 40 per cent of all data records stolen, the reality is that even the bigger players with more money to invest in security are not necessarily better protected. Banks are vulnerable to cyber-attacks which can be damaging both to the institution’s reputation and bottom line, as well as to customers’ confidence in the entire financial sector.
The new reality is that conventional data protection is outdated. While today’s security strategies are dominated by a singular focus on breach prevention that includes firewalls, antivirus, content filtering, and threat detection, history has taught us that perimeters are eventually breached and made obsolete. Simply putting up a wall around the data and standing watch is no longer enough.
Organisations of all types, including financial institutions, often underestimate the magnitude of the risk to their business-critical data while it’s in transit across public or private data networks. It’s not simply systems and servers that are vulnerable to attack. Most banks today need to send and receive data across both internal and external networks – locations which are immune to anti-intrusion and anti-virus protection. So as data travels across networks – internally and externally – it carries its own degree of risk exposure. But, despite the increasing scale and sophistication of data breaches, organisations still continue to invest the majority of their IT security budgets in the same perimeter security defences they have for years.
In this context, financial institutions should assume that prevention and threat detection tools can only go so far and should be used as part of a layered approach to data security that can defend data once criminals get into the network. With data stored in a plain-text state being easily readable and accessible for cyber criminals, banks must move to a framework that is centered on the data itself,and provides protection that stays with it, no matter where it is being sent, such as better access control techniques, stronger authentication measures and the use of encryption.
From the moment data is in motion, organisations are no longer in control. Data can be easily and cheaply intercepted by cyber-criminals for a number reasons – ranging from data theft to cyber-blackmail. With encryption, banks can maintain control of their data, even when it is deployed in the cloud or in their data centre. By moving security controls as close as possible to the data, banks can ensure that even after the perimeter is breached, the information remains secure. This means they must view the protection of sensitive data not as a compliance mandate, but as a responsibility essential to their success.
Financial Institutions need to focus on a defense-in-depth strategy and on securing the breach, which means using data encryption as the last line of defense.The only way that banks can maintain business and customer trust in their brand, is by encrypting all of their financial and customer information, both in storage and in transit.
In fact, banks can even increase customer trust by telling clients about the security measures that they have put in place to protect their data. By being open about the efforts they are making with regards to data protection, like encrypting data end-to-end, they can be perceived as trusted innovators. Banks can take this a step further and, as well as informing customers about what they are doing to protect them, can also tell them what to do in order to protect themselves and become safer consumers of services.
With threats changing daily, meeting the minimum legal requirements is no longer enough.
Banks need to be continually vigilant and take a multi-layered, dynamic approach to data security which will allow them to be safe in the knowledge that their data is protected, whether or not a breach occurs.Only banks that adopt a ‘secure breach’ approach, consisting of a combination of strong authentication, data encryption and key management, can be confident that data is useless should it fall into unauthorized hands.