Five Key Steps to Protect Your Business from Data Breaches in the Financial Sector
When we hear about a data breach in the financial sector, it’s easy to believe that cybercriminals are targeting the Big Guys and you won’t be affected. However, behind every data breach, there are potentially thousands of SMEs waiting to be exploited.
One of the great IT myths of recent years is that of the ‘disruptor’. It’s usually an IT startup that plans to wreak havoc on a traditional industry by rolling out a platform that, due to its ease of use, will be adopted by millions, while making millions for the founders.
Whilst we’ve heard lots of these stories, and also from ambitious entrepreneurs to emulate such success, the main disruptors are criminals, and in particular, the cybercriminals of today.
Whilst we see the many advantages of mobile devices, cloud-based and digital payment systems, remote working, and de-centralised offices, they see many opportunities for the criminal endeavour and in particular, a profitable data breach.
According to a 2020 survey undertaken by VMware, 80% of financial institutions reported an increase in cyberattacks compared to the previous 12 months, while 27% of such attacks have targeted either the healthcare or the financial sectors.
Also, during the first quarter of 2020, ransomware attacks against the financial sector increased by a shocking nine times, and during the same period, while Covid struck, cyberattacks against the financial sector increased by an extraordinary 238%.
As the financial sector struggles to keep one step ahead of cybercriminals, and while they are obviously the main line of defence against such activities, you shouldn’t outsource all your security concerns to them. Like charity, cybersecurity begins at home.
With this in mind, here are five steps to securing your business against such data breaches:
- Training Staff
A recent figure estimates that 90% of all UK data breaches in 2019 were due to human error. These were simple errors made by staff which facilitated a malicious attack. Therefore, it’s vital that staff are trained in phishing trends and made aware of the many simple, but deadly, ways that bad actors work. For example, phishing simulation exercises help to create an awareness of threats for employees thus fostering a culture of cybersecurity resilience.
- IT Asset Register
When we were all bound to our office desks, creating an IT asset register for our devices was a straightforward affair – IT just walked the corridors keeping track of the devices, or ran network crawlers to ascertain the amount of IT assets out there. However, with a decentralised, spread-out workforce, it’s vital to keep track of your working assets and make sure they are all accountable. You should build into your IT Asset Disposition (ITAD) strategy a physical check of every IT asset, their location, condition, and value. Furthermore, clear guidelines must be in place for using corporate IT assets in-home/remote settings such as encryption and physical security.
- Bring Your Own Device (BYOD) Policy
Allowing staff to use their own devices is a double-edged sword. While certainly helpful at times, especially during the early weeks of the pandemic when companies struggled to keep working, a clear policy must be developed, rolled out, and adopted by all. For example, what data are people allowed to interact with on their own devices? Should people have the right to log into the corporate network from a personal PC? Your policy should reflect such situations and staff must buy-in to it for it to work successfully.
- A Response Plan
When a data breach happens, whether you are directly or possibly indirectly affected by it, you should have a disaster plan in place. Typically, such plans have three phases. Firstly, shut down and close your systems as much as possible. Secondly, you will have to ascertain what data was taken or potentially taken, and let your customers know about it. And lastly, you must have the ability, or have cybersecurity experts on call, to analyse your systems to ensure that the attack is actually over.
- Data Storage and Data Destruction
Where you store your data, and how such data is destroyed is another vital step. Whether your data is backed up to the cloud or on-premise, you should ensure that the security in place is suitable for the threats which exist. Keeping software and systems up to date is vital while the data is being stored, and when your IT assets reach their End of Life (EOL), they must be disposed of in line with the best ITAD guidelines.
For example, do you require IT assets to be shredded/degaussed on or off-site? And once the IT assets are redundant, they must be disposed of according to the highest environmental regulations.
When a cyberattack happens, due to the interconnectedness of today’s systems and networks, we are all vulnerable. As the financial sector is one of the most targeted areas, we are all potentially exposed to such attacks which requires constant education and awareness, policies and procedures, and a robust ITAD strategy.