Financial Services: Investing in Data Security Risk Mitigation

By Ryan St Hilaire March 30, 2015

In the words of the late Peter Drucker, “What gets measured gets managed”. This also holds true in today’s cyber threat landscape.

With the rapidly increasing interconnectivity of information, more endpoints than ever before are accessing the corporate network and the sensitive financial information it contains.

This pace of disruption has accelerated since the rise of the Internet and the subsequent smartphone and tablet revolution, shifting the primary interaction channel within the Financial Services industry from bricks and mortar into the hands of the customer. The rise of the ‘Internet of Things’ will ignite this further.

So if we follow the guidance of Drucker, mitigating data security risk requires measuring device activity and status, regardless of where the device is or who is using it. A low-level employee in today’s information age has access to sensitive information, and if they become rogue or inadvertently lose their device, the risk to the organization is significant.

This technology transformation also impacts the flow of data throughout the entire organization, with financial and personally identifiable information now in the hands of the customer and the employee, residing on a range of different devices.

On one hand, this evolution has significantly improved customer satisfaction, as in many cases employees can now view a customer’s financial history directly from their tablet and approve financing on the spot. Investment managers can also analyze a company’s performance, and relay information to fund managers instantly.

On the other hand, this sensitive data now resides beyond the bounds of traditional IT infrastructure – off the network and outside of the organization’s control.

Everyone wants to have satisfied customers. But the challenge lies in achieving these benefits while mitigating significant data risk.  So where to begin?

Quantify the risks

As a result of recent high-profile events, most of us are now familiar with the detrimental impact and resulting penalties of a data breach.

While the companies affected span all verticals, the financial services industry has been hit particularly hard, with 37 percent of breaches occurring within Financial Services organizations according to the 2013 Data Breach Investigations Report by Verizon. Cyber criminals view the valuable information that resides on each employee device as a prime target, and unfortunately malicious or negligent employee activity has become an increasing threat. All it takes is a single compromised endpoint to impact the entire organization and its customers.

Your biggest challenge is a lack of visibility and awareness.

There is no single security tool that will remove all potential points of weakness. Best practices include:

Image via Shutterstock
  • Encryption
  • Anti-malware / anti-virus
  • Data  monitoring
  • Remote security capabilities for devices on and off network
  • Strong password protocols
  • Employee education in endpoint security

This layered approach provides multi-faceted coverage across most of the threat landscape. But visibility into the status of these defenses is imperative so you can assess potential risks.

You must be able to identify, manage, monitor and respond to any threats that may exist. Once a risk is quantified, a risk response tool will allow you to take action preemptively or even during the incident to minimize the potential of a data breach.

Lifecycle security

When evaluating your IT security infrastructure, you may only consider devices that are connected to the network. Or you may feel that the presence of encryption obviates any risk to the organization.

However, risk potential can occur throughout the lifecycle of a device:

  • Newly provisioned devices are typically distributed with a simple password that the end user must change. If an enterprise-strength password is not used or if the employee writes their new password down (it happens), the device is no longer secure
  • Devices in transit – either going to or with a remote employee – can be targeted as an access point to sensitive data
  • Social engineering and phishing have become increasingly popular mechanisms used by cybercriminals. All they need is a device as an access point.
  • Hardware lifecycles have shortened dramatically, with typical upgrade cycles occurring every 2-3 years. If a device is redistributed or decommissioned without a secure end-of-life data delete process, your financial information could fall into the wrong hands.

These increasingly sophisticated attacks and scenarios demonstrate that it is imperative for financial services organizations to implement strong security measures – from the moment a device is procured to the moment it is decommissioned or recycled. 

Events will still happen so be prepared to respond

If a risk is identified, an immediate and appropriate response must occur to mitigate potential consequences. But the response must also consider end-user productivity. You don’t want to apply a “red alert” protocol in a situation where the device may not be at risk. On the other hand, you should never ignore a potential incident.

If the risk is assessed as minor or not yet quantified, precautionary action should be taken:

  • Remove the device from internal networks
  • Freeze the device and reach out to the end user to validate
  • Monitor the device to determine what’s happening

If the risk is assessed as significant, stronger action should occur:

  • Delete data remotely
  • Implement an investigation
  • Conduct a post-mortem to determine how the event occurred and to ensure it doesn’t happen again

Regardless of the nature of the event and the level of protection in place, security events will still occur. Ensure you have the proper tools in place, a well-defined security response protocol (including additional stakeholders such as Security Operations, PR, HR, etc.), and the ability to provide regulatory auditors with the information they need to prove the event was well managed.

Use existing regulatory framework to protect customer data and intellectual property 

While many of the regulatory guidelines within the financial services industry are focused on protection of personally identifiable data and user privacy, you must also implement security mechanisms to protect your intellectual property. The typical regulatory landscape can consist of:

  • Gramm-Leach-Bliley Act requires financial institutions to take measures to encrypt customer information when in transit or in storage
  • Payment Card Industry Data Services Standard (PCI DSS) requires anti-virus software to be used and frequently updated
  • EU Data Protection Directive requires that organizations protect the integrity of personal data and take steps to prevent unauthorized access to this data
  • State data breach notification laws vary by state but can often carry the most significant consequences

These regulations, despite hundreds of pages of legislation, are not prescriptive as to the precise security standards you should adopt. Due to the nature of the financial services industry and the evolving threat landscape, smart organizations will strive toward a higher standard of security, based upon on their own risk standards.

While all risks cannot be mitigated completely, you must strive to protect devices throughout the lifecycle, identify risks as they appear, and be prepared to respond with an appropriate level of rigor depending on the situation. 




Edited by Dominick Sorrentino

Vice President, Product Management, Absolute Software

SHARE THIS ARTICLE
Related Articles

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More

Making Connections - The Value of Data Correlation

By: Special Guest    1/5/2018

The app economy is upon us, and businesses of all stripes are moving to address it. In this age of digital transformation, businesses rely on applicat…

Read More

3 Ways to Improve Your VR Projects

By: Ellie Martin    1/4/2018

There is no denying that VR is here and will most likely only increase in velocity as a terminal speed is yet to be even hypothesized. That is why it …

Read More

Alphabet to See Schmidt Step Down

By: Maurice Nagle    12/21/2017

In 2001, Google brought Eric Schmidt on board as CEO. To 10 years later become executive chairman, and continue to serve in this capacity through rest…

Read More