With increasing costs of data breaches, challenges coming from remote work, and stricter regulations, securing sensitive data is a top priority for finance and banking institutions.
After taking a deeper look at the security challenges that law firms face, we’ve continued our series of live Security Briefings by focusing on how finance and banking institutions can avoid the operational disruption, financial loss, and reputational damage that results from data loss.
This time our speakers included Tim Deluca-Smith (Chief Marketing Officer at CoSoSys), Carmen Oprita (Sales & Business Development Manager at CoSoSys), and Jay Kay (Technical Account Director at Askaris Cyber Security). They have discussed the hot topics facing data protection in the banking and finance industry, including pain points of companies within this sector, the most prevalent security threats, and best practices to implement a Data Loss Prevention (DLP) strategy.
Key insights from our Security Briefing
Check out some of the most important highlights from the Security Briefing.
With the second-highest cost of a data breach, financial companies had to strengthen their security posture.
It shouldn’t come as a surprise that the financial industry had the second-highest average total cost of a data breach (after healthcare) with a reported $5.72 million price tag according to the Cost of a Data Breach Report 2021. This is largely driven by the fact that companies in this sector handle huge amounts of customer PII such as address details, Social Security Numbers, credit card details, etc.
The cost of a data breach can be broken down into three main areas:
- Financial penalties by a regulator (such as non-compliance penalties for PCI DSS or GDPR);
- Operational disruption as organizations have to put resources to control the problem, mitigate the problem;
- And brand damage.
The sudden shift to remote and hybrid work models due to the pandemic made banks and financial institutions more aware of the increased risks.
“In the last two years, companies had to implement a hybrid model, and as they didn’t have the traditional secure company network anymore, the security focus has moved onto the endpoint. This is very important for financial institutions because of the data types they are handling such as PII and credit card information. Security has definitely increased at the endpoint level,” Carmen said.
But where are security threats actually coming from?
Although the media usually suggests that the most significant threats to an organization’s data are external malicious actors trying to crack through the network and extract information, the reality is quite different.
“More than 50% of data breaches are caused by employee negligence or malicious insiders. While the malicious insiders obviously want some financial gain, employee negligence refers to mistakes. Examples include lost USBs, misdirected emails, shadow IT, or storing sensitive information on the endpoint. I think that’s why this whole concept of insider threats has become so large right now,” Tim explained.
If a malicious insider causes a data breach, identifying it takes even more time. While the average time to detect a breach is 212 days, if there’s a malicious insider behind it, the duration increases to 231 days on average, according to the Cost of a Data Breach Report 2021.
“Insiders have more resources behind them, and more know-how, so more chances that it would go undetected. Someone internal wouldn’t take the data straight away; first, they’d try to figure out what they can access and how they can access it. They are not getting data out straight away because that would bring some alarm onto themselves,” Jay added.
So employees can make mistakes, break the rules intentionally, and they can also be compromised.
“Employees can receive emails supposedly from their CEO, asking them to send some confidential client records to an email address. They might think they’re doing the right thing – even if they’ve had their security training – because it’s the CEO. So it’s at that point where we have to put our trust into a DLP solution to block that activity and make sure it doesn’t happen regardless of the context,” Tim said.
What happens at the endpoint matters.
Remote work has changed the way we work and has also increased the risk of data loss. Confidential information can flow uninhibited across emails, messages, devices, networks, and more without proper security controls. Consequently, managing devices and exit points, such as browsers, sharing apps, instant messaging apps, print screens, and copy-pasting activities, is essential to ensure data security.
When companies in the financial sector look at their security stack, they have to look at endpoints and ensure they have control even when devices go offline.
“If you’re relying completely on network tools, cloud security tools, the minute you’re device goes offline, that’s it. You’re losing either visibility or control over that endpoint. So, start to think about what those potential risks would be? It could be something as obvious as printing or trying to move content to a removable storage device. It might also be something more subtle, such as changing file names or file extensions” – Tim highlighted.
Make data security part of your culture.
Technology won’t change things overnight; companies also need a cultural change, which requires a top-down approach.
“Security is a cultural shift; a lot of people don’t understand what is going, why it is going on, and what has been implemented. The culture needs to come from the top-down, not the bottom up. Business leaders, including the CEO, CFO, CISO – they need to show good practices first,” – Jay mentioned.
The advice to companies planning to deploy a DLP solution (and not only) is to break it down into three steps.
“First, roll out the solution in a phased approach, preferably by departments, so that you can set and refine policies specific to the work of that department. Just as important is to roll out the solution in monitoring mode,” – Carmen said.
After reviewing the reports for one month or even longer, the cybersecurity team can refine the policies with the help of the departments.
“Finally, a DLP solution is not a set and forget type of solution: the IT team constantly needs to get user feedback, adjust the policies and train the employees” – Carmen concluded.
Watch the Security Briefing and learn more about:
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.