Financial services organisations have never been more at risk of data breaches. A recent report by RPC found that the number of data breaches reported by UK financial services firms increased 480% in 2018, with the retail banking sector seeing the largest relative increase in data breaches. A wider report by DLA Piper found that European companies suffered 60,000 data breaches in the 8 months following the GDPR laws coming into force, equating to one every 5 minutes.
The reports certainly seem to be reflected in the media, with UK banking institution Metro Bank reporting a sophisticated data breach in February 2019 whereby hackers intercepted text messages to gain access to bank accounts. Meanwhile, credit reporting firm Equifax reported that as many as 400,000 British accounts and 143 million U.S. accounts were compromised in a data breach in 2017 because one employee failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach.
This reflects an often overlooked truth about data breaches; although cyber attacks receive more attention in the press, it is more often human error or simple negligence that results in data breaches.
The Information Commissioner’s Office revealed in their yearly financial report for 2017/18 that 4 of the 5 leading causes of data breaches could be attributed to human error.
- Data sent by email to inc rep
- Data posted/faxed to inc rec
- Loss/theft of paperwork
- Failure to redact data
Human beings are inherently flawed, and the mistakes of an individual can jeopardise the entire business. Given the reputational and financial implications at stake, it is imperative that fintech directors understand which areas of the business are the most liable to cause a data breach.
One type of employee that risks putting the wider business at risk is the remote worker. Telecommuting is an increasingly common working arrangement whereby employees are occasionally permitted to work from home, which has led to around 70% of people globally working remotely at least one day a week.
However, remote work carries additional security risks. An employee working with a company laptop in a coffee shop might be using a WiFi network that is not secure, allowing even basic hackers to gain access to private company data. Additionally, few employees can avoid using paper files and these confidential documents can quickly become lost or stolen in public places.
Employers should therefore clearly outline their remote employees’ responsibilities regarding confidentiality and data protection. They must also establish remote working security policies that remove the scope for costly mistakes, such as by specifying that all file downloads should be work-related. Other advisable policies include implementing device monitoring, rigorous password protection and asking that devices and files are only used in specific locations with secure WiFi networks.
Another vulnerable area of any business is the administration department. Responsible for a business’ financial planning, record keeping and logistics, an administrator is often the backbone of an organisation. An administrator’s role is therefore crucial for avoiding a data breach, as if any of their responsibilities are performed incorrectly sensitive data could quickly be obtained by malicious third parties.
With so many documents moving through the admin department every day, sensitive information found on meeting notes, tax forms and financial reports can become lost or stolen if an effective process is not in place. A prerequisite should therefore be establishing a clean desk policy in the office, whereby all employees are required to declutter their work-spaces at the end of each day.
By implementing this rule, administrators will find it far easier to store and destroy sensitive documents. Any data that is still used and found in hard copy should be locked in storage cabinets overnight, with the most important files being stored off-site at a secure information management facility. Furthermore, documents that are no longer needed should be shredded immediately rather than thrown in waste bins, where they can be found and potentially used as blackmail or for fraudulent purposes.
Complacency is perhaps the most common reason for a data breach, and higher-level managers who fail to promote data security best practices pose the greatest risk. Managers are responsible for setting the standard in cyber-security, but if they become complacent in implementing security awareness programmes their employees may begin to also forget their training.
Poor password management, opening suspect emails and leaving computers unlocked are all practices that creep into a business’ culture if an example is not set at the top. Not only should managers regularly encourage their staff to change their passwords and lock their devices, but they should also arrange for external training to be made available for all staff.
For example, managers should invest in up-to-date e-learning training sessions for both online and offline security, as well as invite IT experts to teach employees about common hacking risks and how they should respond to a successful data breach.
The rising threat of cyber attacks is undeniable, and companies of all shapes and sizes should ensure preparations are made to deal with direct attacks. However, financial services organisations cannot afford to neglect the cost of mistakes made by staff and any budget set aside for cyber-security should include resources for comprehensive training and secure document storage and disposal. Only then can the risk of human error be minimised.
Written by Nik Williams, Shredall SDS Group