How financial organisations can stay protected from financial data breaches
Email is a crucial function of business communication, which many organisations strongly rely upon. But as the pandemic brought a new world of remote and hybrid working, it’s arguably more important than ever to keep both individuals and organisations connected – wherever they may be. A staggering 333.2 billion emails are sent and received daily – but in turn, it’s inevitable that typos can occur or the wrong attachments are sent to the wrong person. However, whilst innocent mistakes can happen, the consequences could be much more devastating.
The consequences of sending an incorrect email within the financial industry, in particular, could be drastic – both in terms of a firm’s reputation and legal penalties. Within an industry that deals with sensitive and valuable information, it’s vital that financial organisations prioritise keeping their confidential data secure, explains Andrea Babbs, UK general manager, VIPRE.
At What Cost?
IBM’s latest Data Breach Report revealed that 2021 had the highest average data breach costs in seventeen years, rising from $3.86 million in 2020 to $4.24 million. Particularly within the financial services industry, research indicates that cybercrime is more prevalent in this sector compared to any other. Both external and insider breaches are equally as dangerous, but human errors are almost twice as likely to result in data disclosure.
For example, if human errors occur in the financial services when sending internal emails, such as including the wrong individuals in CC, or attaching the wrong document, this can cause serious issues as it may be perceived as ‘Insider Trading.’ If two departments are working for two directly competitive clients, and accidentally share non-public, material information about one another, this could put either team and/or client at an unfair advantage by having this insight.
Depending on the size of the breach will determine the size of the cost. However, at a minimum, there will be penalties. Not only could there be a financial loss for the organisation, but companies will have to pay for audits to understand what happened, and what protocols need to be put in place to prevent further attacks, as well as compensating customers who were affected by the breach.
Additionally, the aftermath of a data breach is far worse than just financial loss. Businesses in the finance sector have reputations to uphold in order to preserve a loyal customer base, especially in such a demanding and competitive market. Yet, failing to protect sensitive customer information can result in negative press, which can, in turn, make existing and potential customers apprehensive about an organisation. This can potentially result in them taking their business, and money, elsewhere.
A layered cybersecurity strategy is key in any industry in order to mitigate cyber threats and keep sensitive information secure. However, within the financial sector, it’s more important than ever as the stakes are much higher. When considering a cybersecurity strategy, three components should be considered:
- Encryption and Authentication: Security protocols are designed to prevent a majority of instances of unauthorised interception, email spoofing and content modification. When a hacker is attempting to infiltrate a company, they may try to intercept emails via transport links or attack systems directly. Whilst encryption services do not protect businesses against human error, including them in your email security strategy will help to protect companies from hackers intercepting emails.
- Training and Guidelines: It is essential that businesses put in place strong security rules and guidelines concerning the movement and storage of sensitive financial information. This should also provide clear guidance on the steps employees should take if a security incident occurs.
Additionally, when employees first join an organisation, they should take part in cyber security awareness training. However, this should be an ongoing programme to ensure that all employees understand the role they play in keeping their organisation safe. As part of this training, automated phishing simulations should be included to demonstrate how these threats can appear in order for the user to identify them, and act appropriately. Following this training, key metrics and reports can be provided on how the users are improving, or where more education is needed.
By fortifying key security messages across the workplace, combined with simulated phishing attacks, continuous training ensures that individuals are able to identify potential attacks, whilst providing them with the necessary skills to handle the risks.
- DLP (Data Loss Prevention): It is crucial for businesses, especially financial firms, to deploy security measures for the detection and prevention of potential email threats, both internally and externally. Humans play a key role in deciding what is safe to send, and what is not – but DLP solutions can support this process by providing the necessary alerts. For example, colleagues exchanging confidential documents across different areas of the business means that the CC fields are likely to have multiple recipients in them. An incorrect email address is likely to be overlooked without a tool in place to highlight this error to the user, and instead, provides them with the opportunity to double-check the accuracy of the email recipients and attachments. Supporting staff with a crucial second chance helps to raise awareness and understanding of existing email threats, and provides that essential security lock-step – before it’s too late.
Email will remain an essential platform for communication, but will continue to be a high-risk tool for businesses and employees to communicate both internally and externally. And, particularly for financial service organisations, as they remain a prime target for cyber hackers given the temptation to access personal information and financial transactions. Therefore, the finance industry must prioritise cyber security and invest in a layered approach, which must include security awareness training and data loss prevention tools, in order to minimise human error and provide the strongest possible defence in the modern security landscape.