Cyberthreats have been a major issue in the financial services sector due to Covid-19
By Simeon Tassev
The Covid factor has greatly accelerated the digitalisation of the financial services sector as well as the threat landscape as well. There has been a dramatic increase in cybercrime activity this year, for a number of reasons. While the nature of the threat is nothing new, the volume of attacks and the number of vulnerabilities have both increased. This places financial institutions at risk of data breaches and non-compliance fines, both of which can be detrimental. With remote workforces set to become the ‘new normal’ for the foreseeable future, it is imperative to ensure the right controls are in place to prevent data breaches. Data management policies are a critical element, both for preventing data loss events and for ensuring compliance with local and international data privacy legislations.
Why the increase in cybercrime?
Physical crime became harder to perpetrate as a result of lockdowns, which is one element driving criminals online. In addition, as the Work from Home (WFH) scenario arose, security vulnerabilities became increasingly apparent. This has particularly been a challenge in financial services, which have typically followed a very traditional, office-bound working model up to now.
In a typical past scenario, only a small percentage of staff required remote access, but now 100% of employees need this, and somewhere between 50 and 80% of staff will become permanent remote workers. To ensure data protection, the remote workforce needs to be subject to the same controls as if they were in the office, which becomes challenging when employees may not necessarily be using company-owned infrastructure to connect. The focus therefore needs to shift from securing the perimeter, which is now undefined, to protecting the end points themselves, and increasing focus on other elements of security.
Control is key
The Virtual Private Network (VPN) is the mainstay of securing remote connections. While this remains important, it is not the entire picture. Access control becomes critical in a remote working scenario – you cannot simply permit all employees blanket access to the entire network. Access needs to be relevant, based on the role and tasks of the employees, and controls need to be enforced on a far more granular level.
These are not new, but now have to be enforced more strictly, with the principle of ‘need to know’ being applied effectively. It is impossible to enforce if financial institutions do not understand their data. In order to ensure appropriate access to the right data, data needs to be effectively classified – which requires data management to be in place.
Data management is the missing link for security and compliance
The biggest challenge is that many businesses do not know what data they have, where it is or what it means to the business. This in turn makes it impossible to effectively control access on a meaningful level. Data management is thus essential, not only for security purposes, but also compliance.
The Protection of Personal Information Act (PoPIA) and the General Data Protection Regulation (GDPR) both require that businesses understand their data and can access and remove it on request. This is impossible without data management in place, as well as processes to enable businesses to show they know where specific data is located. The WFH scenario complicates matters, as people are prone to saving files on desktops and in shared folders and creating multiple copies of documents. Having policies in place and then enforcing them is critical.
All about the process
There are financial penalties associated with non-compliance with PoPIA, and with GDPR, which are severe for South African businesses given the exchange rate. However, the reputational damage of a data breach can have even more devastating consequences that may be more far-reaching than a monetary fine.
It is imperative to focus on formally defining and documenting processes in such a way that if there are any gaps, they can be identified. It is also important to introduce additional checks and controls, as well as operational reviews, to ensure people have the right access at the appropriate level to enable them to do their job without compromising data security.
While there are tools available to assist, it all comes down to having the right processes in place around data management and security. Tools will simply augment this and provide checks to ensure adherence. The benefit, aside from facilitating compliance, is that data management also reduces all aspects of cyber risk. Managing risk is critical to surviving in the ‘new normal’, and data management and the right processes are at the heart of this.
Simeon Tassev is the Managing Director and QSA at Galix