In today’s highly regulated environment, financial services organisations are trusted with far more than just money. They are also responsible for keeping customers’ highly sensitive personal and financial data secure. Privacy legislation, such as GDPR and CCPA, ensures that they are doing this diligently.
Likewise, with the all the publicity we’ve seen around data breaches, as individuals, we are far more aware of the growing value of our data and the need to protect it. So, unfortunately, are cybercriminals, which means financial organisations are prime targets for malicious cyberattack. However, this isn’t the only threat they face. In fact, not a day passes without these firms’ own employees putting data at risk.
Insider threat cited as having the potential to cause a lot of damage
When it comes to reducing overall breach risk, it is easy to assume that employees represent low-hanging fruit. This is based on the premise that it is easier to control the actions of a company’s own employees than it is to defend against external attackers. HelpSystems has recently undertaken some research, interviewing 250 CISOs and CIOs in financial institutions about the cybersecurity challenges they face.
The reality is that insider threat – whether intentional or accidental – was cited by more than a third (35%) of survey respondents as one of the threats with the potential to cause the most damage in the next 12 months. Likewise, phishing emails were cited by 20% of survey respondents. Add these two together and you can start to get a picture of the challenge these internal employee-centric risks present for financial services firms. It is, perhaps, a far bigger one than the external threat.
While external attackers are always motivated by malicious intent, the employee population is far more mixed. Motivations are a grey area where the reasons behind breaches, whether through simple human error or deliberate actions, are harder to determine. This makes understanding, and mitigating, insider risk a far more problematic exercise.
Misdirected emails are also a big risk
The latest Information Commissioner Office (ICO) report has just been published. The data confirms that misdirected email remains one of the UK’s most prominent causes of security incidents. This report further demonstrates the need for all organisations to control the dissemination of their classified data as it states that misdirected email is, alarmingly, a 44% bigger risk to organisations than phishing attacks.
This is yet another area where organisations must ensure their data protection policies are robust enough to not only protect themselves but also their employees from the seemingly simplest of mistakes. Again, our research showed that increased remote working practices was a cause for concern. 36% state that they saw it as a cybersecurity threat with the potential to cause significant damage. Therefore, what remains paramount is that organisations provide their employees with the technology tools necessary to prevent the simple human errors that have the potential to result in data loss, and as a consequence, severe financial and reputational damage.
Understanding what protection your data requires
It is crucial that financial services organisations shift the dial on insider risk and reduce breach frequency. The penalties for failing to do so are becoming increasingly draconian, and the repercussions from customers much more severe. Put simply, before you can defend, you need to know what protection your data requires. You also need to know what you’ve got, where it’s stored, why you have it and who has access to it.
Once you’ve got to grips with that, you can identify what is of true value to the organisation – what’s business-critical and what’s sensitive – and then how best to treat it. You need to think about what the impact would be if a piece of information was leaked or lost. If it was made public, would it harm the business, your customers, partners or suppliers? Would it put an individual’s security or privacy at risk? Would you lose advantage if a competitor got hold of it? Is it subject to any privacy or data laws, or regulatory compliance?
While this all sounds relatively straightforward, data visibility was another problematic area and subsequent threat emphasized in our research. Data visibility and knowing what data is where and who has access to it was highlighted as having the potential to cause the most damage by 14% of our survey respondents. Combine this with internal cybersecurity fatigue, which more than a quarter (28%) cited as potentially damaging, and you can start to appreciate the importance of providing tools and awareness training to help prevent those easily avoided mistakes from happening in the first place.
Employees need tools, training, education and the right culture
This a complex problem without a simple answer and is where employee education is key. Employees play a vital role in ensuring the organisation maintains a strong data privacy posture. For this to be effective, organisations need to ensure that they provide regular security awareness training to protect sensitive information.
To do this, they must invest in user training and education programmes. Users are your most important security resource, so train them to be an asset rather than a liability. Users should be a critical part of an organisation’s security posture, not excluded due to the associated risks.
Likewise, the security culture of the firm must be inclusive towards employees. It should ensure they are continually trained so that their approach to security becomes part of their everyday working practice and security is embedded into all their actions and the ethos of the business.
How data classification can help
The implementation of data classification tools helps organisations to protect their data by putting the appropriate security labels on it. It also educates users to understand how to treat different types of data with different levels of classification and sensitivity. At HelpSystems, our data classification solution enables users to classify both their emails and documents according to their sensitivity, using both visual and metadata labels. Once labelled, data can be controlled to ensure that emails, documents and files are only sent to those you want to receive them. It protects your sensitive information from accidental loss.
It is technology like this that leaders within financial services organisations should have in place to protect their employees, prevent misdirected emails, the inadvertent sharing of documents and files and ensure that the organisation is complying with data protection legislation. Remote working is likely to remain, regardless of any future regional or national lockdowns. Therefore, making sure that employees have the tools to prevent mistakes and the accidental sharing of data is going to be more important now than it has ever been. The place to start is making sure that any data is appropriately labelled, so that the employee knows how it should be handled.
Boldon James is an industry specialist in data classification and secure messaging, delivering globally-recognised innovation, service excellence and technology solutions that work. Part of the QinetiQ group, a major UK plc and FTSE 250 company, we integrate with powerful data security and governance ecosystems to enable customers to effectively manage data, streamline operations and proactively respond to regulatory change. We’re a safe pair of hands, with a 30 year heritage of delivering for the world’s leading commercial organisations, systems integrators, defence forces and governments.