Post published by Finance Digest, 15 June 2016
As banks and financial services organisations search for ways to increase revenue, efficiency, collaboration and cost control, they are increasingly turning to digital tools. Big Data, cloud storage and Software-as-a-Service (SaaS) solutions are being adopted rapidly and, consequently, data stores are growing exponentially. Not only is the volume of data being collected continuing to increase, with companies collating data on their own customers and wider consumer base, but data stores are carrying sensitive details, such as personal, financial and classified intelligence. As such, it’s imperative for financial services companies to secure data with advanced cyber security measures. Unfortunately the pace of technology adoption is often not matched with security; leaving the data of millions of citizens at risk of being compromised, through data breaches, cyber-attacks and cyber ‘snooping.’
The data breach suffered by the Qatar National Bank (QNB) is a recent example of a financial services organisation not prioritising data security. Hackers infiltrated the bank’s network before syphoning and posting 1.4 GB of unencrypted data online; which contained hundreds of thousands of customer transaction logs, information about the Qatar Royal Family and records regarding British, Polish and French Intelligence agents. While many companies will not store data of such high sensitivity, it highlights the fact that data security is still not taken as seriously as it needs to be.
A prerequisite should be the use of advanced encryption when handling and sharing classified data as leaving vast volumes of sensitive data unencrypted is similar to leaving valuables in plain sight. Acting as a honeypot, cybercriminals will quickly hone in on an organisation and its employees to find a way into the network, up to the data and then begin exfiltration. Encryption provides a last line of defense against hackers but not all variants of encryption were created equal. At a basic level there’s HTTPS; it’s easy to implement and encrypts data in transit but messages are left unencrypted on both the sender and recipient’s device – a huge issue if one is ‘misplaced’.
At the complete opposite end of the spectrum is advanced robust data-centric encryption. Encoding individual packets of information on creation, prior to leaving the sender’s device and being sent to the server, the data can only be unencrypted by the intended recipient once they have passed the relevant identity and policy requirements every time they request access. This ensures data remains unreadable should a device go missing and businesses will find it much simpler to govern who is accessing sensitive information.
The management of encryption keys also needs to be re-evaluated. In some cases, full encryption keys are held by multiple individuals, meaning that data is vulnerable should any of the custodians be targeted by hackers with extortion attacks. Key fragmentation mitigates the risk by splitting each key between multiple custodians, with all of them needing to be in agreement before a key can be issued. This adds an entirely new security layer around data, as even if only one custodian believes a request is suspicious and denies access, the information will remain encrypted.
Furthermore, financial services companies must implement tools that provide persistent, granular data access control. This enables them to set the specific requirements that must be met in order for encrypted data to become readable. At any time, the organisation can seamlessly amend the access controls and all subsequent requests to view the data are subjected to the updated requirements. Rules determining how information can be downloaded can be set or, in cases where data is highly sensitive, organisations can prevent it from being downloaded all together, keeping it within the walls of the network where it is far easier to manage. However, while preventing syncing can stop data being transferred to ‘outsiders’ in its true form, employees taking photos of data is another challenge. To counteract this, businesses should watermark information so details become visually distorted.
Controlling access to data can go a long way to ensure data integrity, but banks and financial services organisations must also have the ability to lockdown access if they believe data is at a high risk of being compromised. Should it be discovered that data is being misused, accessed by employees who don’t have the relevant clearance, or residing in a country with a reputation for ‘snooping’, companies should be able to shut down access to mitigate any further risk and give themselves time to investigate.
Ultimately, it’s now a matter of public responsibility for all banks and financial services organisations to cultivate a comprehensive data-security strategy as part of their overall IT planning; one that empowers them to truly govern how it is accessed and by whom. If the data itself is secured, there is no reason for innovation and productivity to be stifled. Businesses will be able to experience all the benefits of digital tools, without placing the sensitive data of millions of citizens at risk.