Skip navigation
cybersecurity-defense.jpg metamorworks/iStock/Getty Images Plus

Data At Rest Could Be At Risk

Improperly secured data or a lack of defense layers could leave your firm open to outside attacks. 

Despite the best cybersecurity measures, many business executives have identified cyberattacks as a top concern, according to a recent PwC Pulse Survey.

It's for good reason. The private data of millions of individuals is at risk every day as sophisticated and downright simple cyberattacks continue to proliferate. Businesses are doing their best to counter these assaults by reinforcing defenses and educating employees on identifying phishing schemes and online risk factors, but that's not all they should be doing. 

Cybersecurity guidelines and guard rails exist, but organizations don't always recognize the difference between privacy versus security. Organizations cannot stop themselves from ever being attacked. What cybersecurity teams should focus on is how to swiftly respond to an attack, including how to quickly implement a root cause analysis and remediation plan and how to proactively protect sensitive and/or private data if it's ever stolen.

The industry has done well to educate employees on how to prevent a cyber breach, but there are often gaps in how to better protect data in the event of a successful attack. Additional safety measures can include encrypting data or utilizing an off-the-grid data vault. 

Changing Workplaces = Open Invitations

According to a recent study, 96% of financial services professionals would give up a percentage of their salary to work from home permanently. That same survey found 88% of people were more productive when working from home and utilizing collaboration software.

Working from home, or at least a hybrid model, is here to stay for the highly regulated financial services industry—it's what its skilled workers want and can lead to better outcomes. It does, however, present significant data security and compliance concerns for companies.

Remote work in the past typically meant connecting to the company's server through an authorized, secure line on approved equipment—and on a very limited basis. As more employees work from home on personal Internet networks or from public sites at coffee shops, airports and hotels, there is a higher risk of data breaches.

Sure, employees can connect to a secure company machine via a dedicated VPN, but that also becomes another point of vulnerability.

Cybersecurity teams now must protect the company, its data, its equipment and possibly an employee's home attack vector. That can become very costly to deploy equipment and dedicated network lines, and even harder to enforce.  

The Call Is Coming From Inside the House 

Traditionally, cybersecurity is viewed as protecting networks and hardware, from evil hackers working for malicious entities. But data breaches can manifest in unexpected ways so the industry must develop and adopt universal guidelines to protect data at rest.

In 2018, the U.S. military was forced to revise its rules for using wireless devices at its bases after a map of fitness tracker activity revealed patterns of heavy activity in war zones and deserts, opening the troops up to physical attack due to insufficient data security. 

Most people don't realize many of the attacks and breaches are internal in nature, or as in the military example, the data was never secure in the first place. Take a moment to think about how much data you alone are the source of in a single day, from your fitness tracker to your smartphone to your car's GPS and in-home digital assistants.

Sometimes, the security breach is accidentally clicking on a link in a phishing email. Other times it could be a hostile employee with a grievance and agenda. The damage then magnifies when stolen data is unprotected or not encrypted.

Swiss Cheese Defense Model—Process Safety 

The financial services industry can learn from other industries, such as the petrochemical and energy sectors, on how to protect valuable assets and infrastructure. 

After a generation of horrific events, which took the lives of many, some industries studied and created a replicable process and multiple layers of physical protection that were worked into every aspect of their operations.

Like a wall made of Swiss cheese, if something slips through one hole, there must be more protection against catastrophic failure at every level and layer.  

For the financial services industry, these layers should: 

  • Ensure additional safeguards are in place to protect data if there is a breach.
  • Create multilayers of encryptions to thwart malicious attackers. Hackers could eventually decipher the data, but this practice will slow them down.
  • Launch remote lockdowns or wipe-downs of stolen or lost hardware.  
  • Include the development of a cyber vault that is disconnected from the existing network and contains an encrypted clean copy of your production database.

Organizations should anticipate a data breach, whether it's from a cyberattack or an innocuous event, such as posting a photo on social media that inadvertently reveals sensitive or proprietary data in the background. While breaches are undoubtably bad, it's the direct and indirect consequences that are incredibly costly. Reputation restoration is more expensive than reinstalling data. 

Cybersecurity departments and the industry need to do a better job of making sure guidelines and policies are properly implemented, not whether they check a box. 

Protecting data before and after a cyberattack is the best way to ensure safety for all. Taking a multilevel, process-driven approach to data security will help address this issue, among many others. 

Helen Johnson is the chief technology officer for COMPLY, a provider of regulatory technology and compliance solutions for the financial services sector. 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish