With corporate data breaches making news headlines almost every other day, it is critical for finance professionals and leaders to understand the fast-evolving cyberthreat landscape. For instance, the global outbreak of COVID-19 has heightened threat levels and arguably created new vulnerabilities.
As many governments enforce strict lockdowns, cybercriminals and hackers are capitalising on the collective anxiety that the coronavirus pandemic has triggered.
The World Health Organization (WHO) has warned of fraudulent emails sent by criminals posing as the WHO, while the UK’s National Cyber Security Centre has alerted the public to bogus emails claiming to have important coronavirus updates with links that, once clicked on, lead to devices being infected with malware. Moreover, experts are cautioning that as people are increasingly forced to work from home, data security risks are multiplying.
For finance professionals and decision-makers, the stakes are high — with customer records and proprietary business information becoming increasingly vulnerable to attacks. In South Africa, for example, Nedbank recently revealed that a security breach at a third-party supplier had compromised the details of as many as 1.7 million of its clients.
The financial impact of such a breach can be ruinously high — with 2019 research from IBM Security pinning the average cost of a data breach at $3.9 million and underscoring that “the long tail costs of a data breach can be felt for years after the incident”.
“Financial organisations manage money, can be cash rich, and hold personal details of businesses and individuals across the globe, making them a high-value target,” said London-based Dan Sloshberg, senior director, product marketing at cybersecurity provider Mimecast. “Not only will attacks set the organisation back in terms of dollars and resources, it’s also a major hit to brand reputation.”
We spoke to experts about what organisations need to know about major data security risks and what to watch out for.
The rise of “dark” data. According to the International Data Corporation, the collective sum of the world’s data will grow from 33 zettabytes (ZB) this year to 175 ZB by 2025, for a compounded annual growth rate of 61%.
“Our digital footprints are bigger — and riskier — than ever, and an increased reliance on data is driving more governance, especially in the case of personal data,” explained Jasmit Sagoo, senior director, head of technology, UK&I, at data management company Veritas. “Yet many businesses are still struggling to manage the data they hold. Worryingly, EMEA [Europe, Middle East, and Africa] organisations, including those in South Africa, admit that over half (54%) of their data is ‘dark’ … indicating that they have limited or no visibility over vast volumes of potentially business-critical data.”
Importantly, the inability to locate data means that many businesses have no idea what data (or how much of it) is valuable — and how much of it poses a risk.
“If businesses can’t validate the risk associated with the data they hold, they can’t properly protect it from getting into the wrong hands,” Sagoo added.
Human error and poor email hygiene. “Research has shown that 90% of all security breaches involve human error,” said Mimecast’s Sloshberg. “Opening bad attachments, clicking on bad links, inadvertently visiting a malicious website are all actions that could lead to a breach.”
Sloshberg highlighted that email is the preferred tool for cybercriminals and is effectively used to trick targets into handing over money, sensitive information, and login credentials, or to deliver malware into the organisation.
“Cybercriminals are using increasingly sophisticated and stealthy tactics, including phishing and social engineering,” he explained. “Financial organisations need to better understand individual and group employee risk scores and direct appropriate security awareness training to ensure their staff is diligent and constantly getting smarter on security.”
Increasing pressure to innovate. Established and “traditional” financial services providers, and retail banks in particular, are coming under increasing pressure to innovate and offer new digital products and services. Indeed, as more nimble fintech “disruptors” such as South Africa’s “fully digital” TymeBank enter the banking value chain, established players are forced to innovate quickly and at least be seen to be staying abreast of digital disruption.
“The sheer pace of innovation is a [security] risk in itself,” said Craig Rosewarne, managing director at cyberthreat management firm Wolfpack Information Risk. “It’s a double-edged sword really, because banks have to innovate in order to not get left behind — yet innovating quickly without proper due diligence opens up all kinds of data security exposures.”
Storing backlogs of stale data. According to Sagoo, the “out of sight, out of mind” nature of data means that it eventually stops being properly managed, maintained, and protected. Over time, this can pose a major security risk to financial services providers and their customers.
“With no ability to locate or gain insight into their data, it’s no surprise that many businesses are also failing to put in place policies around data retention and deletion [based on the nature of their data],” Sagoo said. “The financial industry’s heavily regulated environment is partly responsible for creating a culture that is cautious to delete anything. This makes the industry one of the worst offenders when it comes to storing huge backlogs of stale data.”
Exposure through third-party suppliers. Increasingly, traditional financial services providers are looking to deliver new services that sit outside their core environment. For example, many South African banks are no longer just banks — they are functioning as specialised retailers as well as telecommunications providers in order to provide more value to customers.
“As a result, the financial services environment is becoming more complex, and banks are working with more and more third parties in order to be able to provide certain noncore products and services,” Rosewarne said. “This opens up a new world of vulnerabilities and risks, as we have just witnessed in the case of the Nedbank data breach.”
Investing in ‘proactive protection’
With such a complex and fast-changing cyber risk landscape, financial institutions have to make proactive data security investments a top priority.
“Effective security investments should go beyond defensive strategies and include more proactive protection that not only protects what’s yours but extends to what lives in the wider cybersphere and can harm you or your customers and partners,” Sloshberg said. “Organisational resilience starts with protection at the email perimeter, which remains the number one attack vector, and can be accomplished with advanced, up-to-date email security and data loss prevention. Added to technology solutions, awareness training is an important investment for any financial institution.”
— Jessica Hubbard is a freelance writer based in South Africa. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.