The importance and sensitivity of the information that financial institutions collect, whether they are banks, insurance companies or organizations that offer other financial services, has been acknowledged even before the advent of digital records. A push for accountability and transparency have brought about the appearance of laws like the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act in the US that regulate how financial information is stored and processed. Across the pond in Europe, the EU’s General Data Protection Regulation has a broad application that includes financial information.
When it comes to data protection, the financial sector is one of the most strongly regulated. This is due not only to the amount of data it processes or external threats, but also its predisposition to internal scandals like those involving companies such as Enron and Worldcom in the 2000s. The result is an at times rigid set of requirements that companies must adhere to or risk penalties both monetary and penal.
How can financial institutions then best protect their data? They must, of course, comply with local data protection legislation, but also international standards like PCI-DSS. Their answer is often to adopt strict security policies internally, implementing complex frameworks to protect their company networks. And while these are adequate measures to protect against external threats, they often overlook a much bigger risk to data protection: data loss which is oftentimes due to internal rather than external actors.
When imagining threats to data, we are tempted to immediately remember headline-grabbing cyberattacks and the malicious outsiders behind them, but the reality is far more mundane: in 2018, IAPP revealed that no less than 84% of all data breaches were unintentional and the result of employee carelessness. The infamous Equifax data breach that exposed the records of nearly 146 million Americans itself was reportedly due to employees failing to respond to security warnings.
What can companies do to address this threat to sensitive data and their compliance with data protection regulations? Here are a few tips!
Educate your employees
Many times employee negligence is a result of a poor understanding of the importance of data protection. Employees favor their own convenience in executing work tasks and are ignorant of the consequences of exposing data carelessly. Security awareness programs can help them realize the importance of data protection in the workplace and the potential negative outcomes that can result from mishandling data.
For this kind of training to be effective, the programs must be tailored to a company’s own needs and the audience they address. It is not enough for them to be informational, but they must also include key takeaways that employees can then easily put into practice.
Data Loss Prevention tools
Another way to avoid the perils of employee carelessness is by implementing Data Loss Prevention (DLP) solutions like Endpoint Protector that allow admins to define, monitor and control sensitive data. Using powerful content and contextual scanning capabilities for a high level of accuracy in detection, they can ensure that sensitive data cannot be transferred outside the company network over the internet or on unauthorized employee devices.
DLP tools can also scan company endpoints in search of sensitive data and take remediation actions such as deletion or encryption when it is found on unauthorized users’ computers.
Knowing where your data is and who has access to it is one of the foundations of any successful data protection strategy and an important part of any compliance efforts. Logging the movements of sensitive data can also offer a significant advantage in case of auditing or when a company must offer proof of its data protection efforts to regulatory bodies.
DLP and data classification tools can be used to define and identify sensitive data on company networks. Its movements can then be monitored and reported, helping organizations have a better grasp of how sensitive data flows within their systems and where it is most vulnerable.
Secure data on the move
Another blind spot in data protection strategies can be data on the move. Nowadays employees are increasingly mobile: traveling for business or working from home, they use portable devices and take sensitive data with them. Incidents are common: forgotten USBs, stolen or misplaced devices can lead to data breaches in an instant.
An easy solution for data on the move is encryption. If all data copied on USB devices, for example, is encrypted then it cannot be accessed by anyone without a password. Should the device be lost or stolen, the company can then rest assured the data on it is useless to anyone who finds or takes it.
Windows, as the most prevalent operating system in the workplace, tends to be at the heart of most security solutions. However, with the rise of Macs in the enterprise and the preference given to Linux in certain sectors, it is worth noting that, since it is an employee-centric phenomenon, data loss happens regardless of the operating system.
Companies must, therefore, look for solutions that are cross-platform. It is also important to ensure that they offer feature parity for all operating systems as many products claim to be cross-platform, but in fact, focus on one OS, most frequently Windows, while offering weaker, less efficient features for other operating systems.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.