Financial Services: Investing in Data Security Risk Mitigation

March 30, 2015
By: Ryan St Hilaire

In the words of the late Peter Drucker, “What gets measured gets managed”. This also holds true in today’s cyber threat landscape.

With the rapidly increasing interconnectivity of information, more endpoints than ever before are accessing the corporate network and the sensitive financial information it contains.

This pace of disruption has accelerated since the rise of the Internet and the subsequent smartphone and tablet revolution, shifting the primary interaction channel within the Financial Services industry from bricks and mortar into the hands of the customer. The rise of the ‘Internet of Things’ will ignite this further.

So if we follow the guidance of Drucker, mitigating data security risk requires measuring device activity and status, regardless of where the device is or who is using it. A low-level employee in today’s information age has access to sensitive information, and if they become rogue or inadvertently lose their device, the risk to the organization is significant.

This technology transformation also impacts the flow of data throughout the entire organization, with financial and personally identifiable information now in the hands of the customer and the employee, residing on a range of different devices.

On one hand, this evolution has significantly improved customer satisfaction, as in many cases employees can now view a customer’s financial history directly from their tablet and approve financing on the spot. Investment managers can also analyze a company’s performance, and relay information to fund managers instantly.

On the other hand, this sensitive data now resides beyond the bounds of traditional IT infrastructure – off the network and outside of the organization’s control.

Everyone wants to have satisfied customers. But the challenge lies in achieving these benefits while mitigating significant data risk.  So where to begin?

Quantify the risks

As a result of recent high-profile events, most of us are now familiar with the detrimental impact and resulting penalties of a data breach.

While the companies affected span all verticals, the financial services industry has been hit particularly hard, with 37 percent of breaches occurring within Financial Services organizations according to the 2013 Data Breach Investigations Report by Verizon (News - Alert). Cyber criminals view the valuable information that resides on each employee device as a prime target, and unfortunately malicious or negligent employee activity has become an increasing threat. All it takes is a single compromised endpoint to impact the entire organization and its customers.

Your biggest challenge is a lack of visibility and awareness.

There is no single security tool that will remove all potential points of weakness. Best practices include:

Image via Shutterstock

This layered approach provides multi-faceted coverage across most of the threat landscape. But visibility into the status of these defenses is imperative so you can assess potential risks.

You must be able to identify, manage, monitor and respond to any threats that may exist. Once a risk is quantified, a risk response tool will allow you to take action preemptively or even during the incident to minimize the potential of a data breach.

Lifecycle security

When evaluating your IT security infrastructure, you may only consider devices that are connected to the network. Or you may feel that the presence of encryption obviates any risk to the organization.

However, risk potential can occur throughout the lifecycle of a device:

These increasingly sophisticated attacks and scenarios demonstrate that it is imperative for financial services organizations to implement strong security measures – from the moment a device is procured to the moment it is decommissioned or recycled. 

Events will still happen so be prepared to respond

If a risk is identified, an immediate and appropriate response must occur to mitigate potential consequences. But the response must also consider end-user productivity. You don’t want to apply a “red alert” protocol in a situation where the device may not be at risk. On the other hand, you should never ignore a potential incident.

If the risk is assessed as minor or not yet quantified, precautionary action should be taken:

If the risk is assessed as significant, stronger action should occur:

Regardless of the nature of the event and the level of protection in place, security events will still occur. Ensure you have the proper tools in place, a well-defined security response protocol (including additional stakeholders such as Security Operations, PR, HR, etc.), and the ability to provide regulatory auditors with the information they need to prove the event was well managed.

Use existing regulatory framework to protect customer data and intellectual property 

While many of the regulatory guidelines within the financial services industry are focused on protection of personally identifiable data and user privacy, you must also implement security mechanisms to protect your intellectual property. The typical regulatory landscape can consist of:

These regulations, despite hundreds of pages of legislation, are not prescriptive as to the precise security standards you should adopt. Due to the nature of the financial services industry and the evolving threat landscape, smart organizations will strive toward a higher standard of security, based upon on their own risk standards.

While all risks cannot be mitigated completely, you must strive to protect devices throughout the lifecycle, identify risks as they appear, and be prepared to respond with an appropriate level of rigor depending on the situation. 

Edited by Dominick Sorrentino