February 26, 2015

What Cyber Threats Really Do to a Financial Organization

How would you answer this multiple choice question?

If the bank advises there’s been a data breach and your name and account numbers have been stolen by cyber criminals, you would:

a) Not worry about it.

b) Expect the bank to provide credit counselling.

c) Stop using that bank. 

While you should contact the bank and learn how to protect yourself, increasingly many customers are choosing ‘C’.

The 2014 Cost of Data Breach Study – US by Ponemon showed that the financial industry has the highest customer churn rate of all industries: 7.1% of customers will stop dealing with an organization after a data breach.

Research findings by SafeNet Inc., a data protection company, were similar. The Q2 Breach Level Index showed that 65% of respondents ‘would never’ or ‘were very unlikely’ to shop or do business again with a company that had experienced a data breach where financial data such as credit card information, bank account numbers, or associated login details, had been stolen.

At the same time, 50% of respondents said that companies do not take identity theft prevention and cyber security seriously enough.

“Data breaches are not just breaches of security,” commented Ision Gonen, chief strategy officer of SafeNet in a news release. “They’re also breaches of trust between companies and their customers and can result in not only negative publicity but lost business, lawsuits, and fines that can threaten the viability of the business.”  

Shred-it's infographic showed that the financial services industry experiences higher cybercrime costs than organizations in retail, hospitality, and consumer products. At least 5% of the $100 billion annual cybercrime revenue comes from the financial services industry.

According to the 2014 Data Breach Investigations Report (DBIR) cyber criminals favor three methods to steal information or money from financial organizations most of the time. They use stolen credentials or exploit vulnerabilities in web applications (web app attacks), overwhelm systems and applications with malicious traffic (denial of service/DOS), or physically install payment card skimmers at ATMs and POS terminals.

How can companies in financial services improve their cyber defense?

  • Appoint a Chief Information Security Officer (CISO) with enterprise-wide responsibility; and create a culture of security from the top down.
  • Use up-to-date data loss prevention and endpoint security tools such as strong encryption of data and multi-factor authentication.
  • Provide security awareness training so employees know how to spot an attack, and what to do when a breach incident occurs.
  • Put a comprehensive document management process in place. Keep confidential data on a need-to-know basis only, and securely destroy paper and e-media documents when no longer needed. Stockpiling electronic equipment is a documented business risk.
  • Limit access to confidential information to employees who need the information to do their jobs (and revoke access when people change roles or leave the company, advises DBIR). Collaborate with third-parties to be sure information security policies correspond.
  • Ensure physical security so confidential information is well protected. Provide lockable file cabinets and storage areas as well as locked consoles for secure destruction of information that is no longer needed.

Document security protocols help develop trust with customers. Here are ways to implement and enforce security protocols in your workplace.