[BreachExchange] Check, Please! Adding up the Costs of a Financial Data Breach

[Destry Winant]

https://securityboulevard.com/2020/11/check-please-adding-up-the-costs-of-a-financial-data-breach/

Reliance on email as a fundamental function of business communication
has been in place for some time. But as remote working has become a
key factor for the majority of business during 2020, it’s arguably
more important than ever as a communication tool. The fact that
roughly 206.4 billion emails are sent and received each day means
we’re all very familiar with that dreaded feeling of sending an email
with typos, with the wrong attachment, or to the wrong contact. But
this can be more than just an embarrassing mistake – the ramifications
could, in fact, be catastrophic.

Check Please! Within the financial services, layered cybersecurity
strategy is essential to keep sensitive information secure

In particular, for the financial services industry that deals with
highly sensitive information including monetary transactions and
financial data, the consequences of this information falling into the
wrong hands could mean the loss of significant sums of money. Emails
of this nature are the Holy Grail for cybercriminals. So how can
financial services organisations keep their confidential information
secure to safeguard their data and reputation?

How much?
According to research from Ponemon Institute in its Cost of a Data
Breach Report 2020, organisations spend an average of $3.85 million
recovering from security incidents, with the usual time to identify
and contain a breach being 280 days. Accenture’s 2019 Ninth Annual
Cost of Cybercrime found that financial services incurred the highest
cybercrime costs of all industries. And while examples of external
threats seem to make the headlines, such the Capital One cyber
incident, unintentional or insider breaches don’t always garner as
much attention. Yet they are both as dangerous as each other. In fact,
human errors (including misdeliveries via email) are almost twice as
likely to result in confirmed data disclosure.

Costs will be wide-ranging depending on the scale of each breach, but
at a minimum, there will be financial penalties, costs for audits to
understand why the incident happened and what additional protocols and
solutions need to be implemented to prevent it from happening in the
future. There could also be huge costs involved for reimbursing
customers who may have been affected by the breach in turn.

Priceless damage
The fallout from data breaches goes far beyond that of financial
penalties and costs. Financial services businesses have reputations to
uphold in order to maintain a loyal customer base. Those that fail to
protect their customers’ sensitive information will have to manage the
negative press and mistrust from existing and potential customers that
could seriously impede the organisation as a whole. Within such a
highly competitive market, it doesn’t take much for customers to take
their money elsewhere – customer service and reputation is everything.

Check, please!
Within the financial services sector, the stakes are high, so an
effective, layered cybersecurity strategy is essential to mitigate
risk and keep sensitive information secure. With this, there are three
critical components that must be considered:

Authentication and encryption: Hackers may try to attack systems
directly or intercept emails via an insecure transport link. Security
protocols are designed to prevent most instances of unauthorised
interception, content modification and email spoofing. Adding a
dedicated email to email encryption service to your email security
arsenal increases your protection in this area. Encryption and
authentication, however, do not safeguard you against human errors and
misdeliveries.

Policies and training: Security guidelines and rules regarding the
circulation and storage of sensitive financial information are
essential, as well as clear steps to follow when a security incident
happens. Employees must undergo cybersecurity awareness training when
they join the organisation and then be enrolled in an ongoing
programme with quarterly or monthly short, informative sessions. This
training should also incorporate ongoing phishing simulations, as well
as simulated phishing attacks to demonstrate to users how these
incidents can appear, and educate them on how to spot and flag them
accordingly. Moreover, automated phishing simulations can also provide
key metrics and reports on how users are improving in their training.
This reinforcement of the secure messaging, working in tandem with
simulated phishing attacks ensures that everyone is capable of
spotting a phishing scam or knows how to handle sensitive information
as they are aware and reminded regularly of the risks involved.

Data loss prevention (DLP): DLP solutions enable the firm to implement
security measures for the detection, control and prevention of risky
email sending behaviours. Fully technical solutions such as machine
learning can go so far to prevent breaches, but it is only the human
element that can truly decipher between what is safe to send, and what
is not. In practice, machine learning will either stop everything from
being sent – becoming more of a nuisance than support to users – or it
will stop nothing. Rather than disabling time-saving features such as
autocomplete to prevent employees from becoming complacent when it
comes to selecting the right email recipient, DLP solutions do not
impede the working practices of users but instead give them a critical
second chance to double-check.

It is this double-check that can be the critical factor in an
organisation’s cybersecurity efforts. Users can be prompted based on
several parameters that can be specified. For example, colleagues in
different departments exchanging confidential documents with each
other and external suppliers means that the TO and CC fields are
likely to have multiple recipients in them. A simple incorrect email
address or a cleverly disguised spoofed email cropping up with emails
going back and forth is likely to be missed without a tool in place to
highlight this to the user, to give them a chance to double-check the
accuracy of email recipients and the contents of attachments.

Conclusion
Email remains a risky, yet essential tool for every business. But with
a layered security strategy in place consisting of training,
authentication tools and DLP solutions, organisations can minimise the
risks involved and take a proactive approach to their cyber defences.

Given the nature of the industry, financial services organisations are
a prime target for cybercriminals. The temptation of personal
information and financial transactions for hackers is never going to
dwindle, so financial institutions must prioritise cybersecurity,
regularly assessing risks, deploying innovative, human-led solutions
and educating workforces to provide the best defence possible.