The cyber-resilience shortfall: are banks underprepared for a data breach?
More than a third (36%) of UK financial services organisations have been reported to the Information Commissioner’s Office (ICO) for a data breach since GDPR came into force in May 2018.
It’s becoming increasingly apparent that any organisation can (and, arguably, probably will) fall prey to a data breach of some kind.
The risk of cyber-attacks rose during the pandemic, as enterprises and their workforces got to grips with new ways of working.
Meanwhile industry shifts such as open banking – which forces traditional banks to share permissioned customer data with third-party service providers – will potentially expose personal information to theft or loss.
In this environment, financial IT and security teams need to change their mindset – moving their focus and investment away from a quest for ‘complete control’ to fortifying their cyber-resilience.
By strengthening four key pillars of cyber-resilience, financial organisations can build their capability to quickly restore data after an incident, establish and remediate the cause and demonstrate due diligence to regulators.
Encrypt all data
The only truly effective way to protect information when it’s being handled, shared, moved or stored is to encrypt it. Even if cybersecurity defences are breached, and devices or data end up in the wrong hands, encrypted information will be indecipherable to unauthorised eyes.
Encryption is a vital compliance tool. In fact, it’s specifically recommended in Article 32 of GDPR as a method of protecting personal data. For a breached company, evidence that lost or stolen data had been encrypted removes the obligation to inform each individual affected.
Article 83 suggests fines will be moderated where a company can show it has been responsible and mitigated the damage suffered by data subjects.
Educate and explain
In today’s hybrid and blended work environments, cybersecurity is everyone’s job. Each individual must be accountable for safeguarding the information they access and handle.
To be able to control risks and maintain compliance with regulations and standards such as GDPR and PCI DSS, employees need to fully understand their role and responsibilities around data protection.
This means briefing the entire workforce on all relevant corporate security policies and processes and providing a comprehensive grounding in security hygiene. Training people in how to correctly and safely implement the devices and security technologies they’ve been equipped with is also vitally important.
Alongside the ‘practical stuff’, education has a critical part to play in helping to create an enterprise-wide culture of security. Employees’ engagement and buy-in depends on an understanding of the context around the security requirements they’re asked to follow.
Companies should therefore explain the ‘why’, in addition to the ‘what’ and ‘how’: the specific threats the business faces, the risks associated with mishandling information and the potential consequences to the organisation of a breach.
Mandate offline back-ups
In addition to central back-up processes, requiring each employee to regularly save their data locally to a corporate-approved encrypted storage device (USB or hard drive) will enable information to be recovered and restored quickly in the event of data loss or theft.
Alongside protecting against loss of data that results from a cyber-attack on cloud servers, or any digital failure that occurs when data is being transferred for example, this approach galvanises resilience against ransomware attacks by ensuring that data can always be recovered locally at least should the central data store be compromised.
To be cyber-resilient, companies must know precisely what data they collect, process and store, as well as where it’s located and who has access to it. They should be able to map their data’s lifecycle and journeys, from collection to deletion, and identify at which points it has been – or potentially could be – exposed or put at risk.
This level of visibility will enable a rapid and accurate response to any cybersecurity incident that occurs – and to the questions from regulators that may follow.
No organisation is immune to a data breach. Even the companies with the world’s biggest security budgets and teams struggle to prevent data being lost, leaked or stolen.
Prioritising the building of cyber-resilience will strengthen the ability to prepare for, react to and get up and running quickly after a breach.
Not only will this mitigate against being hit with potentially crippling fines, it will also protect the company’s reputation and the trust of its customers.
About the author
Jon Fielding is managing director EMEA at cybersecurity firm Apricorn.
CISSP-certified, he’s also worked with organisations ranging from IBM to start-ups including Valicert and Tumbleweed.