A rash of data protection regulations – including the California Consumer Privacy Act (CCPA), whose enforcement was set to begin July 1 – is throwing a harsh spotlight on financial institutions’ need to increase their data privacy and security preparedness.
Financial services was already one of the most highly regulated industries, bound by an array of laws and rules such as Sarbanes-Oxley (SOX), the Graham-Leach-Billey Act (GLBA), Payment Card Industry Data Security Standard (PCI-DSS), and the European Union’s General Data Protection Act (GDPR). With CCPA and similar initiatives in Wisconsin, Nevada, and other states, the litany of data transparency and accountability mandates keeps growing.
For the same reason that banks face heavy regulatory responsibility – the enormous amounts of sensitive data they collect, process, and store — they are one of the highest-value targets for cybercriminals. Safeguarding data becomes all the more burdensome as financial services firms increasingly shift to digital channels, expanding the attack surface for hackers trying to gain unauthorized access to information.
In an effort to protect confidential data, nearly every financial institution has applied traditional IT security solutions such as perimeter security, data loss prevention, intrusion prevention/detection, and endpoint protection. However, the combination of today’s more complex financial services IT environment and the rising tide of data protection and privacy regulation demands that banks do a much better job protecting all paths to data.
How? Here’s a five-pronged approach that can help financial services firms ensure that their data protection and privacy is in order and avoid the financial losses, erosion of customer trust, reputational damage, legal fees, and fines that come with breaches or violations.
Know where sensitive data resides
It seems obvious: You can’t protect data if you don’t know where it lives. Yet as data volumes have exploded, banks haven’t kept up with tracking all the locations where data is and goes.
As financial institutions embrace cloud architectures, Big Data platforms, Software as a Service, and other technologies underpinning their digital efforts, sensitive data now often resides outside the secure perimeter in many different relational and non-relational databases, instances, and versions. As digital initiatives sprout across organizations, databases are constantly created and set aside – say a marketing database for a one-month promotional program. The first step in protecting sensitive data must be a rigid effort to discover all the data a bank has, wherever it is.
Know who is accessing data
It’s surprising and, frankly, ridiculous that such a highly regulated business as banks still often fall short in knowing who accesses their data. As data volumes explode – and cybersecurity and regulatory requirements force more stringent accounting of who is accessing what data when – it is critical that financial services firms proactively monitor all users so they can identify proper and improper access behavior.
Broaden the scope across the entire range of data stores
Banks often have focused their data privacy controls on direct database users (like the administrators who run them), but this reflects an antiquated, on-premises-based notion of where data travels. For example, mobile and online banking applications routinely account for an overwhelming majority of data traffic (and vulnerabilities). Last year, half of all data breaches happened through APIs. Banks must stop cherry-picking the users they monitor and cover the entire landscape.
Mask data in non-production environments
As much as 60 percent of an enterprise’s databases are test and development for new applications. Yet most use copies of actual production data. Sometimes the data is encrypted or otherwise obfuscated; most of the time it isn’t, leaving this data ripe for the picking by cybercriminals.
Data masking should be standard procedure for banks. Rather than using sensitive data for test and development teams, organizations should employ data masking, which replaces sensitive data with fictional but realistic data without impeding the software delivery cycle.
Invest in automation
All the work that needs to go into protecting data and complying with regulations is too big to be done manually. Automation technologies like machine learning and analytics are necessary. For example, automated discovery and classification is the only sensible way to effectively discover and classify new or modified database instances containing sensitive data. Automated analysis of hundreds of millions or more of database access records is the only sensible way to accurately and rapidly identify unusual and often bad user or application behavior.
In the same way that banks have turned to automation technologies for fraud detection, credit scoring, and other applications, they should be relying on them for data compliance and security.
Too many financial institutions have gaps in their ability to answer the basic questions of data security and privacy: Where is my data? Who accesses it? When? How? Why? Even something as benign and simple as the game of Clue recognizes how critical incident details are — Colonel Mustard (who), with the candlestick (what), in the library (where). In an era of increased threats and regulation, why should cybersecurity be any different?