Check, Please! Adding up the Costs of a Financial Data Breach
By Andrea Babbs, UK General Manager, VIPRE
Reliance on email as a fundamental function of business communication has been in place for some time. But as remote working has become a key factor for the majority of business during 2020, it’s arguably more important than ever as a communication tool. The fact that roughly 206.4 billion emails are sent and received each day means we’re all very familiar with that dreaded feeling of sending an email with typos, with the wrong attachment, or to the wrong contact. But this can be more than just an embarrassing mistake – the ramifications could, in fact, be catastrophic.
In particular, for the financial services industry that deals with highly sensitive information including monetary transactions and financial data, the consequences of this information falling into the wrong hands could mean the loss of significant sums of money. Emails of this nature are the Holy Grail for cyber criminals. So how can financial services organisations keep their confidential information secure to safeguard their data and reputation? Andrea Babbs, UK General Manager, VIPRE, explains.
According to research from Ponemon Institute in its Cost of a Data Breach Report 2020, organisations spend an average of $3.85 million recovering from security incidents, with the usual time to identify and contain a breach being 280 days. Accenture’s 2019 Ninth Annual Cost of Cybercrime found that financial services incurred the highest cybercrime costs of all industries. And while examples of external threats seem to make the headlines, such the Capital One cyber incident, unintentional or insider breaches don’t always garner as much attention. Yet they are both as dangerous as each other. In fact, human errors (including misdeliveries via email) are almost twice as likely to result in a confirmed data disclosure.
Costs will be wide ranging depending on the scale of each breach, but at a minimum there will be financial penalties, costs for audits to understand why the incident happened and what additional protocols and solutions need to be implemented to prevent it from happening in the future. There could also be huge costs involved for reimbursing customers who may have been affected by the breach in turn.
The fallout from data breaches goes far beyond that of financial penalties and costs. Financial services businesses have reputations to uphold in order to maintain a loyal customer base. Those that fail to protect their customers’ sensitive information will have to manage the negative press and mistrust from existing and potential customers that could seriously impede the organisation as a whole. Within such a highly competitive market, it doesn’t take much for customers to take their money elsewhere – customer service and reputation is everything.
Within the financial services sector, the stakes are high, so an effective, layered cybersecurity strategy is essential to mitigate risk and keep sensitive information secure. With this, there are three critical components that must be considered:
- Authentication and encryption: Hackers may try to attack systems directly or intercept emails via an insecure transport link. Security protocols are designed to prevent most instances of unauthorised interception, content modification and email spoofing. Adding a dedicated email to email encryption service to your email security arsenal increases your protection in this area. Encryption and authentication, however, do not safeguard you against human errors and misdeliveries.
- Policies and training: Security guidelines and rules regarding the circulation and storage of sensitive financial information are essential, as well as clear steps to follow when a security incident happens. Employees must undergo cyber security awareness training when they join the organisation and then be enrolled in an ongoing programme with quarterly or monthly short, informative sessions. This training should also incorporate ongoing phishing simulations, as well as simulated phishing attacks to demonstrate to users how these incidents can appear, and educate them on how to spot and flag them accordingly. Moreover, automated phishing simulations can also provide key metrics and reports on how users are improving in their training. This reinforcement of the security messaging, working in tandem with simulated phishing attacks ensures that everyone is capable of spotting a phishing scam or knows how to handle sensitive information as they are aware and reminded regularly of the risks involved.
- Data loss prevention (DLP): DLP solutions enable the firm to implement security measures for the detection, control and prevention of risky email sending behaviours. Fully technical solutions such as machine learning can go so far to prevent breaches, but it is only the human element that can truly decipher between what is safe to send, and what is not. In practice, machine learning will either stop everything from being sent – becoming more of a nuisance than support to users – or it will stop nothing. Rather than disabling time saving features such as autocomplete to prevent employees from becoming complacent when it comes to selecting the right email recipient, DLP solutions do not impede the working practices of users but instead give them a critical second chance to double check.
It is this double check that can be the critical factor in an organisation’s cybersecurity efforts. Users can be prompted based on several parameters that can be specified. For example, colleagues in different departments exchanging confidential documents with each other and external suppliers means that the TO and CC fields are likely to have multiple recipients in them. A simple incorrect email address, or a cleverly disguised spoofed email cropping up with emails going back and forth is likely to be missed without a tool in place to highlight this to the user, to give them a chance to double check the accuracy of email recipients and the contents of attachments.
Email remains a risky, yet essential tool for every business. But with a layered security strategy in place consisting of training, authentication tools and DLP solutions, organisations can minimise the risks involved and take a proactive approach to their cyber defences.
Given the nature of the industry, financial services organisations are a prime target for cyber criminals. The temptation of personal information and financial transactions for hackers is never going to dwindle, so financial institutions must prioritise cyber security, regularly assessing risks, deploying innovative, human-led solutions and educating workforces to provide the best defence possible.