Bill Mann, Senior Vice President of Products and Chief Product Officer at Centrify
According to a recent study by Centrify, the Financial Services have the best reputation when it comes to dealing with security breaches compared with other sectors. Whilst the Financial Services sector has been no stranger to cyber-attacks and data breaches, their ability to demonstrate to customers and regulators that they have adequate cyber-security and compliance regulations in place to deal with a potential breach, enables them to maintain reputation and conduct business efficiently, with little disruption to their customers.
Cyber-attacks are becoming more frequent, more targeted and extremely sophisticated. The same Centrifystudy revealed that most consumers, to some extent, expect to be hacked today and 73% think that it has become normal for businesses to be hacked also. More worrying is that 75% of UK consumers would walk away from a business that has been hacked, severely bringing into question its reputation, integrity and jeopardising its future. Clearly, the onus is on businesses to implement processes that both protect themselves and reassure their customers that adequate security measures are being taken.
Data breaches not only impact operational processes but can have a massive detrimental impact on brand, reputation and bottom line. Being able to limit this impact is something the financial services do particularly well. The difficulty in managing cyber-attacks is the breadth and array of attack techniques. Financial services are knowingly very security conscious and as mobile and online banking have increased, the entry points for cybercriminals have too. The growing threat to employee login credentials by using spam and phishing emails, and even keystroke loggers to steal these to gain access to systems has also become a growing trend. On top of this is the insider threat. The JP Morgan breach in 2014 saw three of its employees charged with indictment related to computer hacking and stealing the personal information of over 100 million customers.
An attack on the financial services industry has the potential to disrupt the global economy, so whether the motivation for attacks is to obtain confidential information, or for financial gain, the result of a breach on the financial sector can be far reaching. The JP Morgan breach saw its share price fall by 1 percent after its security breach. However, as with most financial institutions, JP Morgan was already spending vast amounts of money on its digital security and, following the breach, committed to doubling that spend and review and increase security procedures including implementing access controls.
Financial services recognise that they need to spend on security to avoid the repercussions of such a breach. One of the biggest challenges in business is convincing the right people that spending on security is a necessity and the financial service recognise that information protection is no longer an IT-only conversation within the organisation. C-level executives and board members are increasingly involved with protecting information and keeping intellectual property secure.
Businesses can learn from the financial services sector to determine what measures they can take, as well as the advice they can provide to consumers to protect their business and their reputation. New technologies and services must be adopted to cope with competitive pressure and the increasing regulations that must be complied with. Equally, businesses must ensure they are educating employees and customers on how to utilise these technologies to keep personal information secure.
Whether working to mitigate the risks of insider threats, advanced persistent threats, or to meet compliance regulations, organisations require a unified identity management and auditing solution that will enable centralised visibility and control over identities, privileged access management , policy enforcement and activity. This integration, automation and flexibility will allow businesses to maximize resources and efficiency.
Passwords can also provide hackers with one of the easiest ways to breach an otherwise secure system and educating customers on good password hygiene should be central to any business security policy. However, passwords alone are no longer enough, implementing an alternative such as biometrics and multi-factor authentication (MFA) will add an additional layer of security to protect against one of the leading causes of a data breach -compromised credentials (according to a survey by the Cloud Security Alliance (CSA)).
Ultimately, if a business wants to manage and maintain its reputation in the result of a breach they should ensure that customers are kept well informed and notified as soon as possible should a breach occur. This is in line with new EU General Data Protection Regulations (GDPR), due to come into force which require businesses to notify the Information Commissioner’s Office of a data breach within 72 hours. This will go a long way to ensuring your customers remain your customers, and the impact of a breach can be kept under control as much as possible.