With millions of customers, banks and other fintechs hold a ton of customer data that they use to make all sorts of decisions. They collect identity cards, utility bills, signatures, and transaction records, which can create useful snapshots of customers when put together.
While collecting this data is important, it creates an obligation. All that data must not fall into the hands of bad actors, an incredibly difficult task.
Because data has become valuable, there is a lot of incentive for people to want to steal it from companies, and financial services providers are often the targets of these bad actors. One report claims that financial services providers fall victim to cybersecurity attacks 300 times more than businesses in other industries.
A Nigeria-specific report by a UK-based cybersecurity company, Sophos, showed that 86% of Nigerian organisations surveyed said they suffered cyberattacks in the last 12 months; the second-highest after India.
In August 2019, Business Day reported that Nigeria’s Yellow Card website had been compromised and was leaking data. One year later, a Twitter handle focused on bank security threats reported that the database of a tier 2 Nigerian commercial bank, was being shared online on hacker forums.
Although the bank denied the incident, there’s still a conversation to be had on how financial institutions can mitigate these data leaks which can be internal, external or a mix of both.
Data classification and encryption
Much like we’ve seen CBN’s draft guideline for Open Banking, classifying data by their risk levels is a practical way to prevent leaks. When data is classified by their sensitivity levels, the greatest protection levels can be provided for the most sensitive data.
It is therefore important to know the data you have because you can’t protect what you don’t know. In January 2020, a Microsoft customer support database holding over 280 million Microsoft customer records was left unprotected on the web.
This sort of data leak happens when organisations are oblivious of the systems that store the data they collect from customers. Knowing they hold together sensitive data, organisations should keep in mind that not all data is of equal value and prevention efforts must be in line with the value of the data.
This is primarily because money, time, technology and other resources used to protect data are not unlimited in supply. Consider what the data is used for in the business, laws and regulations around protection, cost of leakage, etc. Non-IT people should be involved in the whole process, but especially in this stage.
This is where process controls come in. For example, the personal information of the bank’s customers is usually highly confidential, and only certain people can view it. Such sensitive data should always be compartmentalised behind multiple firewalls. It should also be encrypted and have complex access passwords.
This way, organisations can also reduce human error and have a sense of the next steps once there’s a potential threat.
Tighter internal processes
According to Sophos, a good number of cybersecurity breaches result from credentials stolen from employees. Sometimes, data leaks which are “inside jobs” can be very difficult to prevent, though there are some methods related to oversight and authorisation control.
Preventing or mitigating these sorts of risks starts with an examination of how your employees access data. While this may seem ordinary, knowing whether they are accessing data in a secure environment can help to know the possible risk levels.
An employee who can access confidential information from a personal computer outside of the office may inadvertently cause a data breach if the computer is stolen.
Access levels for employees are also an important place to look because every organisation should have a list of which users can access systems that collect customer data. The access level privileges provided to these employees should always be the minimum levels required to carry out their work.
Broadly giving access privileges to people who do not need them can be a source of data leaks. Beyond these processes, it is helpful to have an internal team focused on data safeguarding and security. The team would work alongside Quality Assurance, business and the overall IT team.
Ideally, this team would report to senior management and their job would be to continuously monitor and identify risks so that they can proactively mitigate the threat of data leaks.
Audit third-party vendors
On September 29, 2020, hackers accessed customers’ details from Warner Music’s e-commerce websites hosted and supported by a third party, capturing customer’s names, email addresses, telephone numbers, billing addresses, shipping addresses, and payment card details such as card numbers, CVC/CVV, and expiration dates.
Many organizations use third-party vendors yet they often gloss over the need to ensure the highest security standards for these vendors. If your security architecture is in top shape and your vendors are not as thorough, you still risk a data leak.
It is important to validate the security program of vendors and to still routinely perform checks to know whether they adhere to the stated program. When you think of the third-party vendor as a patchwork to your company’s data, that sort of conscientiousness will pay off.
Even with a tight internal process, it is necessary to have independent security consultants, commonly called ethical hackers, come in to run unplanned breach attempts. This is essential to know the true state of adherence to your internal processes that employees have.
Instead of basking in a false sense of security, ethical hackers can spotlight risk areas that can be immediately addressed.
These also fit in with the need to carry out regular security audits – a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria- of your organisation’s hardware as well as software.
In the end, all of these recommendations should be distilled into documented and repeatable business processes and activities. While it is impossible to completely prevent data leaks, the key to reducing these incidents is making these processes and practices a part of everyday life.