After the fallout of the recent Capital One and Equifax data breaches, Clearswift commissioned a survey into the financial services sector to find out the extent of financial companies’ data protection capabilities. Worryingly, the results highlighted that 70% of financial enterprise organizations have experienced a cyber security incident in the past 12 months. This finding (among others uncovered by our survey) highlights an increased industry need for financial organizations to shift gears and speed up the innovation and deployment of effective risk-mitigation strategies to address the latest cyber threats.
The research, conducted in partnership with Vanson Bourne, surveyed senior business decision makers at financial organizations within the United Kingdom. The data revealed that of the significant number of incidents that took place in the last year, around 43% originated from a failure of employees to follow security protocol or data protection policies.
Following the introduction of GDPR, it is certainly concerning that there are still so many security incidents caused by failure to follow proper data protection procedures, particularly when a failure to do so can result in a maximum fine of €20m (or 4% global turnover, whichever is largest). Does it mean regulation policies and even internal processes are not clear enough for employees to comply with? Or is it more a case that there aren’t significant enough technology investments being made to help enforce the policies and automatically protect the data? Regardless, there is clearly a need for financial organizations to bolster their cyber security posture and ensure security and data protection protocols are understood and adhered to.
People are at the core of a data protection strategy – educate them thoroughly
Employees are at the core of a data protection strategy as they handle and process the sensitive information. In the case of financial organizations, which hold extremely sensitive citizen data, it is critical that employees know and understand the company security policy and how to handle data securely. Ongoing time and investment need to be put towards educating employees about the risks and consequences of handling sensitive data incorrectly, as well as cyber threats to look out for (such as phishing emails). Threats are constantly evolving, so education and awareness training needs to be ongoing ensuring all employees from the CEO to the cleaner understand the risks and more importantly, know what to do should they suspect an issue.
Processes are the guide for employees to operate securely
As well as changing attitudes within the company around data protection, processes and policies need to be put in place for employees to follow which will help to minimize risks. For example, having a process in place that employees can use to report any incidents that occur will enable security teams to respond immediately to mistakes – from sending an email with sensitive information to the wrong person, to clicking on a malicious URL link – so they can be caught and dealt with to minimize the potential repercussions for the organization. Discussing security with employees is a great way to understand where the weaknesses are, which processes are circumvented and therefore need overhauling.
Technology is the ‘safety net’ in the background protecting against threats and mistakes
Investment in advanced security and data protection technologies has become critical for all organizations; to enforce security policy, automate processes and support employees to collaborate safely in today’s digital world. It is also a positive differentiator for a business and can act as a springboard for both growth and innovation. From a customer or partner’s perspective, confidence and peace of mind in a financial organizations’ cyber security focus can build a great reputation which builds trust and ultimately drives business growth.
Not surprisingly, after cyber incidents occurring from failure to follow data protection protocol (43%), the next highest source (33%) came from the introduction of malware from 3rd party devices, including unauthorized USB sticks, BYOD and IoT. With almost three quarters (73%) of respondents arguing that they would like to see some, if not a significant, increase in their organization’s cyber security spending, it seems clear amongst financial organizations that investment in cyber security would drastically support the sector with both cyber threat protection and data breach prevention.
Financial organizations hold extremely sensitive data and an added level of caution is needed in order to protect the data and the organizations’ reputation. Our survey findings highlight a concerning picture in terms of cyber incidents within the financial sector, emphasizing the need for increased investment in cyber security in order to better protect the sensitive citizen data that it holds and processes.