• Paul Hampton, Senior Product Manager at Thales


• 08.07.2019 11:00 am
security , Financial IT

With reports of new data breaches hitting the news every day, you might be surprised to hear that spending on cyber-security is at an all-time high. However, as these attacks become more sophisticated, much of this spend has been focused on protecting the wrong areas. In particular, businesses have increasingly prioritised securing the perimeter surrounding IT systems instead of the data itself. In fact, network security hardware, such as firewalls and unified threat management, are seeing continued investment from businesses.

This is a major problem. Perimeter security is just what it says it is; the first line of defence for any organisation. It’s not a solution that is going to protect an organisation’s most important asset, it’s simply there to help deter or slow the hackers down. But once that line of defence is breached – and it will be breached – organisations must have more security up their sleeves or risk their data being exposed to the world.

While a pressing issue for any business, this problem has become more complex for financial firms. New regulations such as PSD2, which forces banks to open their APIs and data to the wider world, has meant that the potential for data to be exposed is increasing for both legacy and new players. Consequently, it’s more important than ever for financial companies to go back to basics and take five simple steps in order to safeguard their and their customers’ data:

1. A data review

People will often bank with the same organisation they have for decades, meaning that there is a treasure trove of valuable information, from spending habits to personal information, for a hacker to want access to. In order to adequately defend against a potential attack, the first step is for banks to figure out where all its data lies by conducting a data sweep. Only by taking this first step is it possible for an organisation to know which data it stores and how to best to protect it.

2. Prioritise secure authentication

The next step for financial organisations is to employ a robust two-factor authentication strategy. Essentially, two-factor authentication means a person must have a code or message on their smartphone, as well as something only they know, such as a password, to access a network or app. This provides an extra layer of security, in the event a user’s ID or password is compromised.

3. Encrypt all important information

Data encryption is a vital third step in properly safeguarding data. This means that if hackers do gain access to the data, it won’t make meaningful sense to them, as the system will scramble the information. Any party who doesn’t have access to the encryption key required to unlock the data will see it rendered useless. Being able to ring-fence sensitive data with encryption makes conducting a data sweep in the first instance a top priority. By employing encryption data, regardless of whether it is stored in the cloud or local a data centre is secure.

4. Store encryption keys correctly

The next step is to safely store the encryption keys. Whenever data is encrypted, an encryption key is created, and can unlock and access the encrypted data. Encryption only works if the right key management strategy is implemented. Companies must ensure the keys are kept safe by storing them in secure locations, such as in external hardware away from the data itself, to prevent them being hacked.

5. Make cyber-security a business priority

Financial organisations have an obligation to educate both their employees and their clients about the steps the business has taken to secure its data. While employees must be aware of the steps taken to ensure best practice, businesses should also ensure clients understand how their data is being protected in order to build confidence in data security.

Looking Ahead

PSD2 is changing the nature of the financial landscape, and traditional banks are now competing with other financial organisations for access to data and this only further emphasises the need for data security. Whilst banks have a built a reputation for trustworthiness, newer organisations, such as fintechs, must put the correct steps in place to garner the same level of trust from consumers. Getting the basics right is a great place to start. Investing large amounts in security is pointless if businesses aren’t doing the right things. In the first half of 2018, of the 944 security breaches reported, just 2% of the stolen, lost or compromised data was protected by encryption. Whilst mastering the basics won’t prevent breaches entirely, it will make the business a less enticing target for hackers and minimise the impact of breaches in the future.