Financial services organisations are entrusted with incredibly sensitive customer data and as a result, they allocate significant resources to maintain the trust of their customers, writes James Pattinson, Vice President, EMEA, at the software firm Absolute.
Despite their best efforts, financial services firms continue to be victims of data breaches. In just the past few months, a number of major financial institutions, such as Lloyds, have suffered major leaks, highlighting that no sector is safe from a loss of customer data. The most worrying part of this is that these breaches are a result of everyday, internal activities, and not the kind of attention-grabbing external hack that hit TalkTalk recently. Of course, the sector is more than aware of the issues it faces around data security. A recent study showed that cybercrime makes up 39 per cent of all economic crimes against the financial services sector, compared to 17 per cent for other types of business. As an industry it faces a number of stringent regulations designed to protect this data, and when financial services firms look for a one stop solution for all of their data protection needs, this can be where problems occur, as even the best single solution can fail. The financial services sector needs to take a layered approach to data security, using multiple and complementary methods to guard sensitive data. Below are some aspects of a layered security approach that can have the biggest impact in the financial services sector:
Protect your endpoints
The increased digitisation of data and mobile devices has made it easier than ever for employees to work remotely. While the benefits are clear, for many financial services organisations, it is of vital importance that particularly sensitive information doesn’t leave the premises. While there are clearly a number of draconian initiatives that can tackle this, a more nuanced approach can help preserve mobile working flexibility. This is where geo-location can be used to set up invisible ‘fences’ that can flag whenever a device that doesn’t have authorisation has left the premises. Once alerted, IT can take steps to safeguard that data, whether by blocking access to the device or deleting the data it contains.
Hidden
Of course, it’s not just those that are authorised to view sensitive data that can gain access to it. Other employees on the corporate network can download it, whether for malicious reasons or not. Once data is downloaded to a work device that can leave the premises, it can easily travel beyond the boundaries of the corporate network. The challenge for the IT department is maintaining the balance between employee freedom and wider security. Simply locking down IT systems won’t solve the problem and will reduce the massive productivity benefits of modern approaches to IT, such as mobile and flexible working. One solution is to implement technology that can detect whether a device contains sensitive data. A key part of this is recognising the characteristics and format of the sensitive data (such as credit card numbers, sort codes or account numbers) and financial related terms, and flagging when a device contains sensitive data. It is then possible for the IT team to take a closer look at the device if they’re concerned there has been a breach, or take actions such as deleting those sensitive files remotely in the event of a breach.
Weakest link
Even with a multi-layered technology approach, there is always one element that can let any organisation down – its employees. Employees should be considered a key part of your security. Broadly, there are two elements to this, along with the technology solutions. The first is policy, which should outline, in non-technical and non-legal language, exactly what employees are allowed to do with data and their work devices. The second element is training – ensuring your staff understands security policies and the risks and consequences of a data breach. These data security best practices need to be engaging, relevant and tailored to the jobs people are doing.
There is no magic bullet for security in the financial services sector. The only way companies can protect themselves is to take a truly holistic, layered approach to security and look at a myriad of ways that data can be lost or compromised. The sheer volume of sensitive data and the massive implications of a breach mean the financial sector can never be too safe when it comes to having the right technology and processes in place to guard against data breaches. Ultimately, anyone delivering financial services needs set the standard when it comes to data security, and those companies falling below that will quickly realise the value their customers place on this trust.
