Data Security for Banking - It’s Time to Think Differently
Summary
- Data security in financial institutions has traditionally been structured around storage repositories. However, when data is moved out of its expected storage location, it no longer benefits from the security controls put in place and is completely unprotected.
- COIVD-19 crisis increased the vulnerability of data while hackers and malicious insiders are always there to gain access and steal data. This requires a switch from a reactive to a proactive data security approach which removes most of the risk elements of human error and malicious intent.
- The SecureAge philosophy makes security an inherent property of data such that it can be moved or copied to any other location without compromising its security. SecureAge protects information in the fundamental data container – the file – using encryption.
Executive Summary
Data security has traditionally been structured around storage repositories. We like to protect information in databases, we use full disk encryption, and we use access controls to manage which individuals are allowed to use what data.
The problem is that when data is moved out of its expected storage location it no longer benefits from the security controls put in place. The data is then completely unprotected – it’s a lot like taking cash out of a safe.
Hackers are well resourced and expert at gaining access to and stealing data by removing it from its protected locations. The COVID-19 crisis has increased the vulnerability of data since there are now thousands more employees who are operating outside of the more secure confines of the organisational network. We also can’t forget the malicious insider who, in this new environment, no longer has to break through as many security controls.
This paper expands on these issues and then examines an approach whereby security is built right into the data itself. As a result, no matter where data roams, it remains protected and unreadable by bad actors inside and out.
The Reputation and Brand Damage of Data Breaches
Modern regulation has ensured that data breaches are now more public than ever. The fines, damages, and consequential costs may be substantial, but it is the financial institution’s reputation and brand that is likely to be hit hardest. According to a Ponemon Institute report 1, following a data breach, financial services organisations can expect an 8% drop in share value, while 65% of their customers will lose trust in the company and 31% will actually move to another provider.
It is therefore hardly surprising then that the mantra of Resilience, Recovery, and Reputation is embedded in the psyche of IT professionals in financial services. The problem remains – however resilient your systems, if data is taken, then control over it is lost and the stolen information can be exploited. Once word gets out that data has been leaked, reputation and the inevitable brand damage will follow.The Desjardins Group reported costs of $108M resulting from a data breach. A malicious insider with privileged access stole personal information. Part of the recovery package was credit monitoring through Equifax – an institution with its own unfortunate IT security reputation
Difficulties With Legitimate Access to Sensitive Data
In addition to their large databases of client information and transactions, financial institutions hold a wide range of other data and documents such as trading reports, HR records, meeting notes, business plans, financial statements, reports generated by applications and databases, spreadsheets, and internal memoranda, many of which are highly confidential. Banks in most countries owe a duty of confidentiality to their customers, and intellectual property together with other digital assets also need to be managed and protected.
While individual documents can be and are encrypted and password protected – for example, when price sensitive corporate finance transactions are involved – human error can never be ruled out, especially when several team members are working under time pressures on drafts and redrafts. Encryption for these documents is performed manually, relying on the user both to make the choice to protect each document and to remember to encrypt the data every time. This requirement for case by case decisions creates the risk that files may be stored unprotected, leaving them open to theft.Due to this complexity it is common for organisations to classify data based on subjective judgements, applying “stronger” protection for information classed as sensitive, and weaker protection for “less important” data. Cost, previous “unsatisfactory” technology experience, and regulators drive this thinking – for example, the Payment Card Industry Data Security Standard recommends that cardholder data is encrypted for both storage and transmission, while other less sensitive information is only protected by access controls.
The (Im)Practicalities of Identifying Sensitive and Vulnerable Data
For example, an executive’s travel plans may not seem especially important, but a hacker could use this information in the form of a social engineering attack to hoodwink the individual or one of their colleagues into approving large transactions, payments, or inadvertently installing malware.
In an ideal world, the IT Security Manager would continually review the data threat landscape, then translate that into updated technology policies which enhance the protection levels for data that is newly designated as sensitive. In the real world, however, this overhead is too great and there is too much other work and “fire-fighting” to be done.
Organisational Evolution Has Delivered a Complex IT Security Patchwork
As a result, IT professionals need to allocate significant amounts of time to reacting when problems arise in these legacy systems which need immediate attention – for example, security loopholes in a bank’s ATM network. A CIO with extensive industry experience that we interviewed for this paper described this process as a “whack-a-mole approach” driven by the practical realities of managing complex infrastructures.
The Data Security Silo
This siloed approach is taken because it is the pragmatic solution. We know that the data is what is important, but it is easier to protect each data store rather than securing the data itself. We know the problems, but we also know that if trying to force people to take additional steps to increase security – like file encryption or passwords – will at best only reduce productivity but will more likely introduce human error or simply be ignored.
Of course, networks can be monitored for unauthorised data transmission and unusual behaviour, but this is just accepting that the security silo approach leaves vulnerable gaps between data stores.
IT security is hard.
A report by encrypted storage maker Apricorn indicates that remote workers don’t care about data security. More than half of IT decision makers believe remote workers represent a risk of data theft
IT Security Education
However, as the sophistication of techniques such a social engineering, spear phishing and deep fakes increases, so does the likelihood of human error. It is just too easy to accidentally click on a link that releases ransomware or other malware.
COVID-19 Adds a New Dimension
This is not just a short-term crisis management issue – the success of home working may act as a tipping point both for employers, who see it as a potential source of cost savings, and for staff, who see it as a way of reducing commuting time and expenses.
This wholesale move to remote working with newly acquired hardware or employees’ own devices provides a less monitored and more vulnerable attack vector for the hacker or malicious insider.
In light of this, data security needs to be re-visited to accommodate the “new normal.”
“There will be a long-term adjustment to our location strategy - the notion of putting 7,000 people in the building may be a thing of the past.” Jes Staley, Barclays Bank CEO
Every Organisation Will Be Hacked
At some time, there will be an individual with malicious intent operating on your systems, having slipped in between the complex of patchworked security siloes. They could be looking to execute a modern-day bank heist. They may attempt to hold you to ransom or they may simply be gathering seemingly harmless data such as travel plans, personal interests, or staff promotions.
The attack may originate from a hacker, criminal group, or even a nation state. But a compromised user account, malicious insider, or rogue third party services employee who is “legitimately inside” the organisation doesn’t need to hack through any security controls – the data is there, in plain text, for the taking. They simply need to move it outside of its secure silo and the theft is complete.
If the data were inherently secure, then it would no longer matter where it was copied – the data would remain secure.
The Capital One data breach, which saw the theft of the personal details of 106 million individuals, was due to insider knowledge gained by a thirdparty cloud services employee
It Is Time to Think Differently
This requires a switch from a reactive to a proactive data security approach which removes most of the risk elements of human error and malicious intent. By seamlessly encrypting data at source, the impact of data breach is neutralised by ensuring that information becomes unusable the moment it is removed.
SecureAge - Proactive Data Security
This means that data can be moved or copied to any other location without compromising its security. Even newly generated data such as a database export is inherently secured.
It should always have been this way.
SecureAge protects information in the fundamental data container – the file – using encryption. This takes place in the background so that neither the authorised user nor any application knows that encryption activities are going on. By securing the data within files the information itself is useless to anyone other than an authorised user. Legacy, current and new applications, and databases all benefit from this 100% encryption service without needing any change and without suffering any noticeable performance impact.
Personal details of 1.7 million customers of Nedbank of South Africa were made available to criminals through a breach at a third-party service provider who did not employ data encryption
Authenticated Encryption
Privileged users are still able to do their job, moving and restoring files as necessary but they are unable to access file contents. This neutralises one of the most challenging vulnerabilities facing organisations - privileged users and database administrators who are normally in a perfect position to steal data.
Because with SecureAge the data is inherently secured, even a legitimate user who can view information at work will find that any stolen files remain encrypted and unreadable once outside the organisation. This is because authenticated encryption is part of each file rather than an attribute of a data store.
Cloud Data Security
A further benefit of this approach is that inaccurate access controls on data stores become a less urgent concern. And the risk of mis-configuration or of privileged user access by a third party, such as a cloud services provider, is mitigated.
According to a report by cloud security firm Ermetic, “As public cloud is a dynamic, on-demand environment, users and applications often accumulate unnecessary permissions. 80% of businesses are unable to identify excessive access to sensitive data” 2.
Clearly, accurate access controls are important, but with SecureAge the hacker or malicious insider who steals data from an incorrectly secured store will find that the data is encrypted and unreadable.
Process Execution Control
This “allow list” facility defends against both external attack and threats from insiders, ensuring that all unwanted software, scripts and fileless attacks are unable to execute.
Hackers are blocked from running malware that steals data, identifies and exploits vulnerabilities, or opens backdoors to the corporate network.
Recent high-profile ransomware incidents include Travelex, Diebold Nixdorf and the New York law firm Grubman Shire Meiselas & Sacks, whose files on Lady Gaga have just been leaked by a hacker group.
SecureAge - Transparent Data Encryption the Way It Should Always Have Been
By extending encryption to all data no matter where it is stored, the need to use data classification for the purpose of choosing levels of protection is removed. This frees the IT Security Manager from the responsibility and burden of deciding which data is more important than the rest.
The proliferation of cloud services together with COVID-19 forcing widespread data usage from uncontrolled networks and endpoints means that it is time finally to protect the data itself rather than just securing its storage silos. By removing the human element of making security decisions, SecureAge makes file-level data encryption a mainstream reality
Frequently Asked Questions
Have a question?
We’re happy to discuss how we can improve your data security and arrange a free trial
1 Ponemon Institute: The impact of data breaches on reputation and share value
2 Nearly four in five businesses suffered a cloud data breach in past year and a half: https://www.itproportal.com/news/nearly-four-in-five-businesses-suffered-a-cloud-data-breach-in-past-year-and-a-half/
3 Article 34(3)(a) states that notification to individuals is not required where an organisation has: “implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption”
- 1. Executive Summary
- 2. The Reputation and Brand Damage of Data Breaches
- 3. Difficulties With Legitimate Access to Sensitive Data
- 4. The (Im)Practicalities of Identifying Sensitive and Vulnerable Data
- 5. Organisational Evolution Has Delivered a Complex IT Security Patchwork
- 6. The Data Security Silo
- 7. IT Security Education
- 8. COVID-19 Adds a New Dimension
- 9. Every Organisation Will Be Hacked
- 10. It Is Time to Think Differently
- 11. SecureAge - Proactive Data Security
- 12. Authenticated Encryption
- 13. Cloud Data Security
- 14. Process Execution Control
- 15. SecureAge - Transparent Data Encryption the Way It Should Always Have Been
- 16. Frequently Asked Questions