Data Security for Banking - It’s Time to Think Differently

It is a given that financial institutions are well-versed in security; banks have been around for centuries. They are proficient at protecting transactions and deposits, making security part of their DNA. The modern financial institution continues to apply this DNA to contemporary technologies.

Data security has traditionally been structured around storage repositories. We like to protect information in databases, we use full disk encryption, and we use access controls to manage which individuals are allowed to use what data.

The problem is that when data is moved out of its expected storage location it no longer benefits from the security controls put in place. The data is then completely unprotected – it’s a lot like taking cash out of a safe.

Hackers are well resourced and expert at gaining access to and stealing data by removing it from its protected locations. The COVID-19 crisis has increased the vulnerability of data since there are now thousands more employees who are operating outside of the more secure confines of the organisational network. We also can’t forget the malicious insider who, in this new environment, no longer has to break through as many security controls.

This paper expands on these issues and then examines an approach whereby security is built right into the data itself. As a result, no matter where data roams, it remains protected and unreadable by bad actors inside and out.

Modern regulation has ensured that data breaches are now more public than ever. The fines, damages, and consequential costs may be substantial, but it is the financial institution’s reputation and brand that is likely to be hit hardest. According to a Ponemon Institute report ¹, following a data breach, financial services organisations can expect an 8% drop in share value, while 65% of their customers will lose trust in the company and 31% will actually move to another provider.

It is therefore hardly surprising then that the mantra of Resilience, Recovery, and Reputation is embedded in the psyche of IT professionals in financial services. The problem remains – however resilient your systems, if data is taken, then control over it is lost and the stolen information can be exploited. Once word gets out that data has been leaked, reputation and the inevitable brand damage will follow.

The Desjardins Group reported costs of $108M resulting from a data breach. A malicious insider with privileged access stole personal information. Part of the recovery package was credit monitoring through Equifax – an institution with its own unfortunate IT security reputation

In addition to their large databases of client information and transactions, financial institutions hold a wide range of other data and documents such as trading reports, HR records, meeting notes, business plans, financial statements, reports generated by applications and databases, spreadsheets, and internal memoranda, many of which are highly confidential. Banks in most countries owe a duty of confidentiality to their customers, and intellectual property together with other digital assets also need to be managed and protected.

While individual documents can be and are encrypted and password protected – for example, when price sensitive corporate finance transactions are involved – human error can never be ruled out, especially when several team members are working under time pressures on drafts and redrafts. Encryption for these documents is performed manually, relying on the user both to make the choice to protect each document and to remember to encrypt the data every time. This requirement for case by case decisions creates the risk that files may be stored unprotected, leaving them open to theft.

Due to this complexity it is common for organisations to classify data based on subjective judgements, applying “stronger” protection for information classed as sensitive, and weaker protection for “less important” data. Cost, previous “unsatisfactory” technology experience, and regulators drive this thinking – for example, the Payment Card Industry Data Security Standard recommends that cardholder data is encrypted for both storage and transmission, while other less sensitive information is only protected by access controls.

But to mitigate against all threats as they evolve it is simply not practical to determine what kind of data is valuable and “worth protecting” at any one time, and which information should be less well protected.

For example, an executive’s travel plans may not seem especially important, but a hacker could use this information in the form of a social engineering attack to hoodwink the individual or one of their colleagues into approving large transactions, payments, or inadvertently installing malware.

In an ideal world, the IT Security Manager would continually review the data threat landscape, then translate that into updated technology policies which enhance the protection levels for data that is newly designated as sensitive. In the real world, however, this overhead is too great and there is too much other work and “fire-fighting” to be done.

Large financial institutions tend to have numerous legacy IT systems as a result of mergers and acquisitions stretching back over twenty or thirty years as well as dozens – if not hundreds – of different corporate entities in a wide range of jurisdictions.

As a result, IT professionals need to allocate significant amounts of time to reacting when problems arise in these legacy systems which need immediate attention – for example, security loopholes in a bank’s ATM network. A CIO with extensive industry experience that we interviewed for this paper described this process as a “whack-a-mole approach” driven by the practical realities of managing complex infrastructures.

With current IT security we focus on securing data store locations with full disk encryption, database encryption, and application security plus access controls functioning as guards on the doors. The problem is that the data behind the doors is not inherently protected so that someone who gets past the guards can steal the data.

This siloed approach is taken because it is the pragmatic solution. We know that the data is what is important, but it is easier to protect each data store rather than securing the data itself. We know the problems, but we also know that if trying to force people to take additional steps to increase security – like file encryption or passwords – will at best only reduce productivity but will more likely introduce human error or simply be ignored.

Of course, networks can be monitored for unauthorised data transmission and unusual behaviour, but this is just accepting that the security silo approach leaves vulnerable gaps between data stores.

IT security is hard.

A report by encrypted storage maker Apricorn indicates that remote workers don’t care about data security. More than half of IT decision makers believe remote workers represent a risk of data theft

Using IT security education to keep staff engaged with IT security and being aware of threats is a crucial part of protecting data, systems, and networks.

However, as the sophistication of techniques such a social engineering, spear phishing and deep fakes increases, so does the likelihood of human error. It is just too easy to accidentally click on a link that releases ransomware or other malware.

And then came the pandemic. Organisations have reacted rapidly and impressively in supporting home working by their employees, especially since conventional disaster recovery plans never envisaged the situation.

This is not just a short-term crisis management issue – the success of home working may act as a tipping point both for employers, who see it as a potential source of cost savings, and for staff, who see it as a way of reducing commuting time and expenses.

This wholesale move to remote working with newly acquired hardware or employees’ own devices provides a less monitored and more vulnerable attack vector for the hacker or malicious insider.

In light of this, data security needs to be re-visited to accommodate the “new normal.”

“There will be a long-term adjustment to our location strategy - the notion of putting 7,000 people in the building may be a thing of the past.” Jes Staley, Barclays Bank CEO

“There are three types of organisation – those which have been breached and know it; those which have been breached and don’t know it; and those which have yet to be breached.” - Chief Information Officer.

At some time, there will be an individual with malicious intent operating on your systems, having slipped in between the complex of patchworked security siloes. They could be looking to execute a modern-day bank heist. They may attempt to hold you to ransom or they may simply be gathering seemingly harmless data such as travel plans, personal interests, or staff promotions.

The attack may originate from a hacker, criminal group, or even a nation state. But a compromised user account, malicious insider, or rogue third party services employee who is “legitimately inside” the organisation doesn’t need to hack through any security controls – the data is there, in plain text, for the taking. They simply need to move it outside of its secure silo and the theft is complete.

If the data were inherently secure, then it would no longer matter where it was copied – the data would remain secure.

The Capital One data breach, which saw the theft of the personal details of 106 million individuals, was due to insider knowledge gained by a thirdparty cloud services employee

Barriers and access controls that protect the “crown jewels” are important, but it is time to focus on securing the data itself as well.

This requires a switch from a reactive to a proactive data security approach which removes most of the risk elements of human error and malicious intent. By seamlessly encrypting data at source, the impact of data breach is neutralised by ensuring that information becomes unusable the moment it is removed.

SecureAge rethinks security so that data itself is protected rather than simply securing its storage location. The SecureAge philosophy makes security an inherent property of data – in effect tweaking its DNA – in a way that is imperceptible to those who generate and use it every day.

This means that data can be moved or copied to any other location without compromising its security. Even newly generated data such as a database export is inherently secured.

It should always have been this way.

SecureAge protects information in the fundamental data container – the file – using encryption. This takes place in the background so that neither the authorised user nor any application knows that encryption activities are going on. By securing the data within files the information itself is useless to anyone other than an authorised user. Legacy, current and new applications, and databases all benefit from this 100% encryption service without needing any change and without suffering any noticeable performance impact. 

Personal details of 1.7 million customers of Nedbank of South Africa were made available to criminals through a breach at a third-party service provider who did not employ data encryption

By using per-user or per-service encryption keys, only the authorised individual or process is able to access the data. This “authenticated encryption” builds both data security and authentication right into the data itself. Only authorised users can read data. Even administrators cannot decrypt information which does not contain their own keys.

Privileged users are still able to do their job, moving and restoring files as necessary but they are unable to access file contents. This neutralises one of the most challenging vulnerabilities facing organisations - privileged users and database administrators who are normally in a perfect position to steal data.

Because with SecureAge the data is inherently secured, even a legitimate user who can view information at work will find that any stolen files remain encrypted and unreadable once outside the organisation. This is because authenticated encryption is part of each file rather than an attribute of a data store.

With SecureAge, the Cloud does not represent an increased security risk. Data remains encrypted no matter where it is stored, whether it is in the Cloud, on a server or in a report generated on a home-worker’s laptop.

A further benefit of this approach is that inaccurate access controls on data stores become a less urgent concern. And the risk of mis-configuration or of privileged user access by a third party, such as a cloud services provider, is mitigated.

According to a report by cloud security firm Ermetic, “As public cloud is a dynamic, on-demand environment, users and applications often accumulate unnecessary permissions. 80% of businesses are unable to identify excessive access to sensitive data” ².

Clearly, accurate access controls are important, but with SecureAge the hacker or malicious insider who steals data from an incorrectly secured store will find that the data is encrypted and unreadable.

SecureAge provides a further level of protection which blocks the execution of unauthorised processes, including malware, ransomware, and keyloggers. Process execution control ensures that there can be no damage done, leaving servers running, staff working and data available and intact.

This “allow list” facility defends against both external attack and threats from insiders, ensuring that all unwanted software, scripts and fileless attacks are unable to execute.

Hackers are blocked from running malware that steals data, identifies and exploits vulnerabilities, or opens backdoors to the corporate network.

Recent high-profile ransomware incidents include Travelex, Diebold Nixdorf and the New York law firm Grubman Shire Meiselas & Sacks, whose files on Lady Gaga have just been leaked by a hacker group.

The design of SecureAge ensures that users enjoy a seamless experience which makes security natural, inherent, and automatic. The impact of, and opportunity for human error is significantly reduced by completely hiding the processes involved in data encryption, while making sure that only authorised processes may execute – even if someone inadvertently clicks on a malicious link.

By extending encryption to all data no matter where it is stored, the need to use data classification for the purpose of choosing levels of protection is removed. This frees the IT Security Manager from the responsibility and burden of deciding which data is more important than the rest.

The proliferation of cloud services together with COVID-19 forcing widespread data usage from uncontrolled networks and endpoints means that it is time finally to protect the data itself rather than just securing its storage silos. By removing the human element of making security decisions, SecureAge makes file-level data encryption a mainstream reality

1 Ponemon Institute: The impact of data breaches on reputation and share value
2 Nearly four in five businesses suffered a cloud data breach in past year and a half: https://www.itproportal.com/news/nearly-four-in-five-businesses-suffered-a-cloud-data-breach-in-past-year-and-a-half/
3 Article 34(3)(a) states that notification to individuals is not required where an organisation has: “implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption”