Jan-Feb-Mar 2021
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
OPINION<br />
insider breaches don't always garner as<br />
much attention. Yet they are both as<br />
dangerous as each other. In fact, human<br />
errors (including misdeliveries via email)<br />
are almost twice as likely to result in a<br />
confirmed data disclosure.<br />
Costs will be wide ranging depending on<br />
the scale of each breach, but at a<br />
minimum there will be financial penalties,<br />
costs for audits to understand why the<br />
incident happened and what additional<br />
protocols and solutions need to be<br />
implemented to prevent it from happening<br />
in the future. There could also be huge<br />
costs involved for reimbursing customers<br />
who may have been affected by the<br />
breach in turn.<br />
PRICELESS DAMAGE<br />
The fallout from data breaches goes far<br />
beyond that of financial penalties and<br />
costs. Financial services businesses have<br />
reputations to uphold in order to maintain<br />
a loyal customer base. Those that fail to<br />
protect their customers' sensitive<br />
information will have to manage the<br />
negative press and mistrust from existing<br />
and potential customers that could<br />
seriously impede the organisation as a<br />
whole. Within such a highly competitive<br />
market, it doesn't take much for customers<br />
to take their money elsewhere - customer<br />
service and reputation is everything.<br />
CHECK, PLEASE!<br />
Within the financial services sector, the<br />
stakes are high, so an effective, layered<br />
cybersecurity strategy is essential to<br />
mitigate risk and keep sensitive<br />
information secure. With this, there are<br />
three critical components that must be<br />
considered:<br />
1. Authentication and encryption:<br />
Hackers may try to attack systems<br />
directly or intercept emails via an<br />
insecure transport link. Security<br />
protocols are designed to prevent<br />
most instances of unauthorised<br />
interception, content modification and<br />
email spoofing. Adding a dedicated<br />
email to email encryption service to<br />
your email security arsenal increases<br />
your protection in this area. Encryption<br />
and authentication, however, do not<br />
safeguard you against human errors<br />
and misdeliveries.<br />
2. Policies and training: Security<br />
guidelines and rules regarding the<br />
circulation and storage of sensitive<br />
financial information are essential, as<br />
well as clear steps to follow when a<br />
security incident happens. Employees<br />
must undergo cyber security<br />
awareness training when they join the<br />
organisation and then be enrolled in<br />
an ongoing programme with quarterly<br />
or monthly short, informative sessions.<br />
This training should also incorporate<br />
ongoing phishing simulations, as well<br />
as simulated phishing attacks to<br />
demonstrate to users how these<br />
incidents can appear, and educate<br />
them on how to spot and flag them<br />
accordingly. Moreover, automated<br />
phishing simulations can also provide<br />
key metrics and reports on how users<br />
are improving in their training. This<br />
reinforcement of the security<br />
messaging, working in tandem with<br />
simulated phishing attacks ensures<br />
that everyone is capable of spotting a<br />
phishing scam or knows how to<br />
handle sensitive information as they<br />
are aware and reminded regularly of<br />
the risks involved.<br />
3. Data loss prevention (DLP): DLP<br />
solutions enable the firm to implement<br />
security measures for the detection,<br />
control and prevention of risky email<br />
sending behaviours. Fully technical<br />
solutions such as machine learning<br />
can go so far to prevent breaches, but<br />
it is only the human element that can<br />
truly decipher between what is safe to<br />
send, and what is not. In practice,<br />
machine learning will either stop<br />
everything from being sent - becoming<br />
more of a nuisance than support to<br />
users - or it will stop nothing. Rather<br />
than disabling time saving features<br />
such as autocomplete to prevent<br />
employees from becoming complacent<br />
when it comes to selecting the right<br />
email recipient, DLP solutions do not<br />
impede the working practices of users<br />
but instead give them a critical second<br />
chance to double check.<br />
It is this double check that can be the<br />
critical factor in an organisation's<br />
cybersecurity efforts. Users can be<br />
prompted based on several parameters<br />
that can be specified. For example,<br />
colleagues in different departments<br />
exchanging confidential documents with<br />
each other and external suppliers means<br />
that the TO and CC fields are likely to<br />
have multiple recipients in them. A simple<br />
incorrect email address, or a cleverly<br />
disguised spoofed email cropping up with<br />
emails going back and forth is likely to be<br />
missed without a tool in place to highlight<br />
this to the user, to give them a chance to<br />
double check the accuracy of email<br />
recipients and the contents of attachments.<br />
CONCLUSION<br />
Email remains a risky, yet essential tool for<br />
every business. But with a layered security<br />
strategy in place consisting of training,<br />
authentication tools and DLP solutions,<br />
organisations can minimise the risks<br />
involved and take a proactive approach<br />
to their cyber defences.<br />
Given the nature of the industry,<br />
financial services organisations are a<br />
prime target for cyber criminals. The<br />
temptation of personal information and<br />
financial transactions for hackers is never<br />
going to dwindle, so financial institutions<br />
must prioritise cyber security, regularly<br />
assessing risks, deploying innovative,<br />
human-led solutions and educating<br />
workforces to provide the best defence<br />
possible. NC<br />
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards JANUARY/FEBRUARY <strong>2021</strong> NETWORKcomputing 11