Technology has long been central to financial services and in the last ten years, devices such as smartphones and tablets have changed the way financial services consumers and suppliers interact. A financial services corporate network contains an abundance of sensitive client and market information which needs to be kept secure. The evolution of technology has now meant that data is everywhere: on your smartphone and tablet, on your work desktop, your company’s network, on USB drives and going back and forth from the cloud, and often this data is not secure; this invariably puts organisations at risk of a breach, which can result in steep government penalties and fines, as well as loss of credibility.
We asked three financial industry experts to tell us what security risks financial services face when sharing data and how these risks can be mitigated?
Ondrej Krehel
"Sharing data can have various levels - from just providing data to having access to the system where data is stored. Controlling data and its use is a much more difficult process. Often, encryption is used during transit and for storage. That, however, is not sufficient when a system is compromised on administrative level. Digital Right Management solutions are stepping into the marketplace, but adoption and integration is slow. Even Microsoft Office 365 offers IRM solution included in their enterprise plans.
Contractual obligations (risk of contract breach) generally dictates the usage of data and how it should be governed, as well as who is responsible if data leaks. Enterprises often use insurance products to offset this liability. Too many third-party breaches, however, have been in the area of interconnected systems with shared data access. Strong vendor due diligence program and ensuring that access control and provided datasets are not completely exposed are the most effective.
Smaller firms' concern is often fraud on the financial accounts and responsibility of the business account holder. When fraud happens, businesses are often left at the mercy of "big guys" to give them something. However, all the lost funds are almost never recovered and the account holder has to live with the loss. Firms sharing their access and data with accounting firms, allies, and needed parties hardly mitigate risks related to unauthorised access and potential fraud."
Bio: Ondrej is the founder of LIFARS LLC, an international cybersecurity and digital forensics firm, working mainly with the financial industry. Ondrej's Linkedin and Twitter
Michael Fimin
"One of the biggest risks for financial companies is the risk of insider misuse. It may not be obvious, but the common reason for nearly 90% of all security incidents that result in customer' data leak is human factor, said the 2015 Verizon DBIR. Disclosure of inside information may have devastating consequences, from financial losses like fines for non-compliance or remediation costs, to considerable reputational damage. Indeed, the worst thing about inability to keep secrets is losing trust of clients and partners.
According to the 2015 Verizon DBIR, 40% of all insider misuse cases involve end users that abuse their access privileges. Financial organisations that want to secure client data need to have complete visibility across the entire IT infrastructure, and make sure that sensitive data is accessed only by those who really need it. The best practice here is to monitor user activity and control privileged accounts. Many financial companies mitigate the risk of insider threats by deploying solutions that provide a deeper insight into who did what, where and when, and spot suspicious user activity before it is too late. In addition, I would strongly recommend to review access rights of employees on a regular basis to ensure that privileges are granted adequately to existing business needs."
Bio: Michael is the CEO and co-founder of US based Netwrix, an IT security company that provides enterprises with auditing solutions. Michael's Linkedin and Twitter
Pem Guerry
“In a digital world, financial professionals aren’t able to personally validate that the person receiving data is actually the person intended to receive the data. This is where robust identity authentication is exceptionally vital. Many financial institutions use Knowledge-Based Authentication, which requires users to answer detailed, "out of wallet” questions based on facts from dozens of public databases, such as naming the street address of a previously owned home. Another widely adopted method in financial services is SMS authentication, which sends a text message to a user’s cell phone with a private passcode to access data. Such measures and others are often used together to provide a multi-layered fortification against potential fraudsters. Another risk for financial providers resides in storing data, as data sharing is often facilitated via a third-party vendor specialising in secure storage or vaulting of sensitive data. If an additional application vendor must keep data on its server as part of its solution, it presents additional unnecessary opportunities for breaches to occur."
Bio: Pem is the Executive Vice President of SIGNiX, the leader in cloud-based independent e-signature solutions. Pem's Linkedin
It's clear that financial industry experts must be made more aware of the serious security risks that they face when sharing data. Businesses need to look into how their employees are sharing data and make sure they are providing enterprise-grade software to ensure confidential files and documents stay confidential and secure.
