The financial services industry is no stranger to regulation but the impending arrival of the General Data Protection Regulation (GDPR) on 25 May is setting nerves on edge. The reason is the rather enormous fines facing organisations that fail to comply.
The maximum financial penalty that can be imposed under the GDPR is €20m or 4% of turnover, whichever is the higher. Much has been written about the Tesco breach in November 2016, when 9,000 of its banking customers had their accounts compromised, and the fact that, had the GDPR fine been imposed on the group, it would have amounted to £1.9bn.
Not surprisingly, businesses have been focusing intently on understanding the terms of the GDPR and making sure they are fully compliant. But there is a danger here. The terms of the GDPR were set out in May 2016, since when the tactics and techniques of hackers have grown increasingly sophisticated. Adhering to a set of regulations is not an adequate strategy for data protection.
The real cost of a data breach
When a serious data breach occurs, everyone loses. Customers may find their accounts drained, as in the case of Tesco, or their personal information leaked, as in the case of the Uber breach in 2017. This leaves them feeling insecure and their confidence in the targeted organisation is hit hard.
When hackers stole the personal records of 57 million riders and drivers from Uber, the company agreed to pay a ransom of $100,000 dollars and tried to cover the whole thing up. This dishonesty backfired when Bloomberg broke the story, and Uber has been trying to rebuild its reputation ever since.
A loss of customer confidence can be fatal, especially in the financial services industry. Customers trust their bank to take good care of their financial assets and the data that can unlock them. The cost of rebuilding trust after an incident like the attacks on Tesco and Uber, coupled with the costs of paying compensation, fighting off the attack and rebuilding a more robust data security infrastructure, should be the real focus when putting together your data protection strategy.
Build some realism into your data security
The fact is that data breaches are inevitable. The cyber attack surface is growing all the time and the incidence of attacks, particularly against the financial services industry, is growing exponentially. In 2016 the Financial Conduct Authority received 38 reports of material cyber incidents; in 2017 that figure rose by more than 80% to 69. It’s how you prepare for the inevitable breaches that matters most to your business.
Traditionally it has been a case of protecting your system perimeters, detecting attempts to break in and reacting quickly to stamp them out, but now we know that this is not the most effective approach. While protecting your perimeters is still important as one line of defence, it’s how you contain an attack once it’s inside your network that really matters.
Containment is key
The hackers that attacked Uber got in with relative ease through a third party, then had a field day as they moved around finding valuable data that was not properly segmented and protected. Had they not been able to move around with such ease, the scandal could have been avoided.
Where organisations fall down is not so much in failing to keep out bad actors but in allowing them to move around the whole system once they’re in. It’s like putting all your assets in the same vault – or all your eggs in one basket. Once the hacker’s broken into the basket, there’s no stopping them.
In fact, they might not even have to break in. The most common threat to an organisation’s data security comes from its own employees, both through malicious intent and unwitting carelessness. Robust data security, therefore, should not only carry out the ‘protect, detect, react’ approach but should control the access permissions of every single user, app and device connected to your system.
This means effecting a change in the culture of data security, from one where everyone within the perimeter is assumed to be friendly unless proven hostile, to one where everyone is seen as a potential threat. This ‘zero trust’ approach means determining which users and devices require access to which data assets, then applying segmentation to create an encrypted barrier between assets. With this level of protection in place, any data breach remains localised and contained and the damage is limited.
Restructuring can be good for business
Changing the way you structure and organise your data security may seem like a costly burden, made necessary by the GDPR, but there are significant advantages to be gained. A Digiterre white paper on businesses’ GDPR issues, published in January 2018, revealed concern over the time and cost involved in trying to comply with subject access requests, due to poorly organised records. By putting in place robust administrative processes, with easily searchable digital records, organisations can streamline their data processing to their own advantage, simultaneously refining their target market and communicating more effectively with customers.
In enforcing change in the way businesses and organisations structure their data assets, the introduction of the new regulation has presented an opportunity to review your data security strategy and implement an approach that will not only keep you compliant with the GDPR but, more importantly, keep you out of the headlines as the latest beleaguered victim of cybercrime.