Richard Betts, Head of International Financial Services at Anomali
Increasingly, the lifeblood of businesses today is the data that flows 24/7, 365 days of the year. Yet it feels as though many organisations are not treating it as the priceless asset it should be, especially sensitive client data. If any board of executives did not adequately look after the cash it was dealing with everyday then they would be removed. Yet their management of data isn’t seen as just as important, why?
Too often the C-Suite treat data as a mere commodity and not a strategic asset that a business can’t operate without. This is negatively impacting the security of this data, with firms treating the likes of cyber security as a drain on resources and not as an enabler of growth. The ROI is not as transparent as say a new payment platform that will directly generate new revenues, but it is just as fundamental for the future of any business. A cyber security attack can ruin a brand completely, firstly the upfront chaos and secondly the impact on customer and partner loyalty thereafter. It’s not something to take lightly, yet many are ill prepared. Cyber security can become a key business enabler only if it is considered as a plus, as a way to better understand their assets and make more informed decisions, manage problems better, and improve efficiency and productivity. Whereas a defensive, cybersecurity as a protection layer approach is insufficient to cope with today’s growing threats.
Once again, a cyber attack hash it the headlines and brought data management and security to the fore. Millions of ordinary people’s data is now in the hands of a currently unknown actor(s) due to the breach at Equifax. It is estimated that 400,000 people in the UK have been affected and 145.5 million million in the US.The data included dates of birth, email addresses and telephone numbers, not passwords or financial information, but to a trained cyber criminal it might not take them long to infiltrate other accounts and personal information. Especially considering Equifax discovered the hack months ago but only informed consumers recently.
Organisations have to be more accountable, many consumers may be cyber security savvy and yet still be impacted due to a business’ negligence. Many of us have complex passwords, backup data to offsite locations, use anonymous browsing where appropriate, etc. But despite all that we are as much a victim here as our personal information, which was collected and lost by a third party with whom we have no relationship.
More regulation is required beyond protection of PII and financial institutions need to be adopting a stronger cyber security posture, for themselves and to protect the partners and customers they directly impact. It’s essential to step forward and do the right things:
- Transparency: Inform the people and businesses effected as soon as a data breach happens that their information has been exposed.
- Responsibility: Do not turn a breach into a marketing exercise. It is not a time to sign people up to your identity protection services, it will take time to rebuild the trust you have breached.
- Recover, Learn and Share: No one is 100% secure against actors even with the intent and right level of capabilities. It is essential to collaborate and support peers in order to reduce their risks to a similar attack.
Even if the attackers took advantage of vulnerabilities that shouldn’t have been possible, it is essential that such malicious activity is shared with industry peers. Within trusted circles such as Information Sharing and Analysis Centers (ISACs), organisations can learn from actor techniques and collaborate on cyber threat intelligence. As a result, sensitive data exposure can be reduced as stronger defences can be formulated, more informed decisions made, and investment strategies warranted.This is happening with the UBF-ISAC now, where Middle East banks are working together to equip them all with the tools and intelligence to better identify, protect, detect and respond to cyber attacks.
In the age of big data, one hack has the potential to expose a huge volume of information. That problem is only going to get worse. Yet organisations will soon be held accountable and have to release details of a fine much faster with GDPR legislation and potential fines coming into effect in May 2018.
Equifax has a great opportunity to show clear responsibility and leadership during the aftermath. But for the future, organisations holding sensitive information must do more to protect their data like their cash, with early warning cyber threat notifications via a threat intelligence platform, and participating in industry sharing groups.