Due to the nature of its work, the investment banking industry is an attractive target for cybercriminals looking to steal sensitive customer data and to gain valuable information on business negotiations such as mergers and acquisitions. It is also a sector particularly prone to insider threats due to the high risk of insider trading.
Investment banks are primarily known as intermediaries between corporations and the financial markets. They help their corporate clients issue shares of stock in an initial public offering (IPO), arrange debt financing for them, and facilitate mergers and acquisitions. They also cater to the investment needs of high-net-worth individuals and often include retail banking and trading divisions. As such, they have access to highly sensitive and valuable financial and corporate information, but also collect large amounts of personally identifiable information (PII).
According to the IBM X-Force Threat Intelligence Index, the banking and financial services industry is a highly targeted sector of business year after year. It also comes with the second-highest cost per data breach of any industry: $5.85 million, well above the global average cost of $4.24 million/data breach.
This is the consequence not only of the highly valuable data investment banks and financial services stand to lose, but also the heavily regulated nature of the financial sector. In the US, specialized legislation like the Sarbanes-Oxley Act (SOX) and the Gramm-Leach-Bliley Act (GLBA) address data security and management, while standards such as the Payment Card Industry Data Security Standard (PCI DSS) were adopted worldwide to protect cardholder data. In the EU, the General Data Protection Regulation (GDPR) applies to personal information which includes PII, but also financial data such as account numbers that can be used to identify individuals.
How can investment banks strengthen data security?
Investment banks have long recognized the importance of data security to their sector, and many already have complex cybersecurity frameworks in place. These feature both basic security measures such as the use of antivirus software and firewalls, but also more complex policies for data access on a need-to-know basis, authentication, and encryption.
But what can investment banks do to strengthen data security and ensure their data protection strategy is a success? Here are our top tips.
1. Address internal threats
Insiders are one of the major vulnerabilities investment banks face. They can take the form of malicious insiders seeking to benefit financially from sensitive information they have access to or looking to take important client information with them when they move on to their next place of employment. They can also be careless insiders who may lose or make sensitive information public.
Many cybersecurity strategies focus on protection from outsider threats and fail to account for potential data loss resulting from insiders. One way investment banks can address them is by implementing Data Loss Prevention (DLP) solutions that focus on the direct protection of sensitive data rather than company networks or work devices.
Through them, investment banks can define what sensitive data means to them, monitor where and how it is being used and by whom, and control its transfer and use. Through contextual scanning and content inspection, DLP tools like Endpoint Protector can identify sensitive data in hundreds of file types and block its transfer through unauthorized channels such as personal email addresses, file sharing, and cloud services and messaging apps. They also prevent individuals from using features such as copy-pasting and printing documents and files containing sensitive data.
2. Educate employees at all levels
Another significant risk faced by investment banks are phishing and social engineering attacks. Through them, cybercriminals target employees directly, trying to trick them into revealing credentials, downloading infected attachments, or accessing malicious links.
When it comes to investment banks, top management with privileged access to confidential information is often the victim of social engineering attacks that manipulate individuals into exposing data and giving access to restricted systems through personalized interactions.
This is why investment banks must create security awareness programs that educate employees at all levels about how they may be targeted and what they need to do if they identify a potential attempt at phishing or social engineering. By raising awareness and vigilance, investment banks can minimize the chances of data leaks through such attacks.
3. Protect data on the move
Sensitive data does not always remain on the premises of a company office. Employees can take their work devices with them when they join important meetings off-site, attend conferences or events or choose to work from home. This can constitute a problem to overall data security as many data protection policies are applied at network level which means once a device is taken out of the office, it no longer has the same level of protection.
Investment banks need to ensure that data on the move is just as secure as it is within the company network. In fact, they are obligated to do it: most data protection laws and standards require that sensitive data be continually protected.
A way for investment banks to address this issue is to apply security solutions directly on the endpoint. Tools such as DLP solutions, when applied on the endpoint, continue to apply data protection policies whether devices are connected to the company network, a public or home WiFi network, or not connected to the internet at all, thus ensuring uninterrupted data protection.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.