Six steps to protecting data in financial services companies
There is no shortage of news headlines about companies falling victim to cyber breaches and the astounding costs associated with them. According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, a 15% increase since 2020. For the financial services industry, the cost is even higher at $5.9 million per breach; that is 28% above the global average.
In addition to the higher price tag associated with a cyber breach, companies within the financial industry must also adhere to evolving compliance regulations that dictate how they respond to an attack and where they must invest to reduce the total risk.
The financial industry is an attractive target for attacks. This is evident in the fact that UK-based financial services firms reported a more than threefold increase in the number of cybersecurity breaches to the Information Commissioners Office (ICO) in the 12 months to June 2023. While cyberattacks are on the rise, there are several measures that financial organisations can take to help safeguard sensitive data and achieve compliance in the event of a cyber breach.
1. Protect the Data First
Should a financial business fall victim to a cyber-attack, attackers would have access to millions of transaction and client records. To safeguard these records, the company should prioritise a data-centric, zero-trust security posture with fine-grained data protection. With many enterprises today having users and partners working from anywhere, stringent controls need to be in place to minimise the opportunity for potential threat actors and malicious insiders to access and exploit an organisation’s sensitive data.
In addition to this, financial organisations stand to benefit from treating all sensitive data the same as critical payment data (PCI-DSS). In adopting this security standard, companies will meet the 12 fundamental criteria that make it more difficult for bad actors to acquire critical data. It is an effective measure against fraud and misuse.
2. Achieve Cross-border Compliance
Data compliance is a key component of doing business today, particularly for the financial industry. However, different regions have different regulations in place and these often change, making it a challenge to stay abreast of the latest requirements, particularly if a company is working across borders.
To help overcome this, companies should consider investing in a security platform that can centralise administration and standardise data protection enforcement policies across state and country borders, data environments.
3. Get Board-level Involvement
Just as regulatory compliance is an ongoing process that requires collaboration across your organisation, from senior leadership down, so too is cybersecurity, with strong executive support leading to better cyber defences.
Traditionally the board takes a long-term approach to the business, looking beyond the day-to-day requirements. This approach should also be applied to cybersecurity, with the board taking ownership, assigning responsibility for cybersecurity to a trusted senior executive, and driving the topic top-down through the organisation. This top-down approach will drive a cultural shift in cybersecurity across the organisation.
4. Elevate and Empower Cybersecurity Departments
Security Operations (SecOps) is a highly skilled team that has been tasked with safeguarding the organization’s assets and protecting the customer’s data. However, organisations are facing an increasingly sophisticated threat landscape and SecOps are becoming increasingly complex. To help overcome some of these complexities and challenges, SecOps must be empowered with the tools and talent to mitigate and respond to data breaches more effectively.
5. Spend Smarter, Not Harder
To minimise potential cyber risks and protect the business, companies are spending vast amounts on cybersecurity. While the investment in cybersecurity is necessary, to stay a step ahead companies need to invest strategically in end-to-end data protection that safeguards the ‘crown jewel’ often targeted by cybercriminals, as these criminals will continue to find new and savvier ways to get through the perimeter to access this data.
6. Enable Privacy-empowered Data Sharing To innovate, grow the business and revenues often it is necessary to share data across departments, business units, partners or suppliers in different, cities or even on different continents. In protecting their data, companies must not overlook this data in motion, also known as data in transit, which is the transmission of digital information from one location to another. This data can include data transfers between devices, data sent across the Internet, and data sent to virtual private networks (VPN).
With data in motion often transmitted over the internet, which requires the data to leave the secure confines of a network perimeter, it needs to be secured through encryption to prevent it from being viewed or changed. However, de-identifying data with pseudonymisation and anonymisation adds a further layer of protection to keep data secure wherever it travels.
Protecting the data of a financial organisation must be a key priority for the business. Not only do customers expect this, but there could also be significant regulatory implications of not adhering to data protection legislation. Achieving this is a complex process that not only requires investment in the right technologies and tools that can protect data and empower IT departments to mitigate potential data breaches, but also requires senior leadership to drive a cultural shift throughout the organisation which sees everyone working towards keeping data secure and minimising potential risks which not only has regulatory implications but importantly could impact customer and employee trust, and the overall reputation of the business.