For financial services companies, data security is an enormous challenge. As the amount of information that they’re required to keep secure grows exponentially, so too does the challenge of doing this effectively.
Cyberattacks cost financial-services firms more to contain than in any other industry. The “Cost of Cyber Crime Study1 from Accenture and the Ponemon Institute, found that the average cost of cybercrime for financial services companies globally has increased by more than 40 percent over the past three years, from US$12.97 million per firm in 2014 to US$18.28 million in 2017.
Cross-border employee complexity
The complex and global nature of organisations which operate in the financial services sector means that communications are often conducted via mobile devices, and can inadvertently be set up in a way that creates more room for information leakage and cyber-security attacks.
Many cross-border calls use open telecommunications networks or ‘free’ consumer-based smartphone apps, leading to the confidentiality of information communicated via smartphones and tablets, be it sensitive written, audio or video-based information and data, being compromised. Along with the growing use of employee-owned devices in the workplace, the challenge becomes even greater.
Information leaks – and attacks on these communication channels in financial services companies is highly likely, more so today than ever before, and this can have a damaging impact on organisational reputation. Secure communications should be an essential component of an enterprise security technology strategy.
Organisations have more than just security to worry about, as the repercussions of not meeting industry regulatory standards are so high that companies are now under additional pressure to find both a secure and compliant form of communications.
No matter how great the attention to regulatory compliance, and to implementing secure technology, there is always one element that it is difficult to control – a company’s employees. Clear policies need to specify what employees can do with data. Technology and training should be provided so that every employee understands the reason for the policies and the consequences of non-compliance.
MiFID II is a recent financial regulation that addresses the use of communications recording – both in terms of the scope of communications that must be recorded, and the requirement for firms to monitor recordings, to remain compliant. Whilst ensuring that communications are encrypted is vital for financial organisations, to comply with regulatory and accountability requirements, control over how communications are saved and what is wiped from the system is also critical.
It has been well documented that, when communicating to clients or colleagues, some financial institutions are still using the traditional consumer encryption communications messaging services, such as WhatsApp, Slack or Viber. Whilst these consumer messaging apps offer end-to-end encryption, they fail to provide the requisite organisation control over their communications. For consumers, this is a good thing for protecting personal information, but for financial services companies, whose reputations are built on confidentiality, apps like these often fall short.
Smart mobile considerations
- Control and Visibility: An enterprise needs tight centralized control of users, the ability to provision or de-provision users instantly, and reporting capabilities. Only authorized users can communicate on the secure encrypted network, greatly reducing the risk that it will be used for bad intentions. This also allows organisations to manage client contacts effectively and ensure that they only have contact with the representatives approved by the enterprise.With enterprise communications systems requiring contacts to be closed, this restricts access to only authorized users in the app. This means that no communication can be made with the device’s contacts, and a firm cannot utilize the communications app to contact their own personal address book.
- Accountability and Compliance: Financial services firms needs full control of which data is stored and which data is wiped, an important element that is non-existent in free consumer based messaging apps. This is critical for communications compliance in regulated industries like the financial industry. With MiFiD II, the ability to manage securely archived communications is key to meet industry requirements, and the emergence of GDPR further demonstrates the need for a secure and compliant communications tool.
- Deployment Flexibility: Enterprises want the flexibility to deploy as a hosted service or to install in their own infrastructure as business requirements dictate. With recent consumer apps being scrutinised for how they use consumer data, enterprise users should have full confidence that their communications aren’t being used against them. Financial institutions should be allowed full ownership through on-premise deployments. This will ensure that all employee and client data remains in-house.
- Security Comfort: Secure conference calling and group chat, secure transfer and storage of images, better call quality and LDAP integration enable secure collaboration across the enterprise, not just one-to-one communications. This is required by financial institutions to offer employees and clients a secure and smarter method of communications.
Client and internal data security should be at the forefront of every strategic technology decision made by financial services companies. At the same time, usability is key in order to ensure user engagement. Organisations should consider adopting an IT strategy based on robust security foundations and a flexible architecture, that can evolve to support the most up-to-date open source encryption algorithms, and never rely on proprietary encryption technologies.
Encryption is key to enterprise security, but that alone is not sufficient. It is only encryption alongside control of a communications system, and compliance of employees with communications policies that will protect financial services companies from ever-growing security threats. Ensuring that these aspects are considered in parallel will allow financial services companies to address their data security and compliance challenges, and minimise the impact of future cyber-threats.
Sourced by Derek Roga, CEO, EQUIIS Technologies