By Andrew Bridges, Data Quality and Governance Manager at REaD Group
Modern technology has transformed the way we process information, allowing us to work more efficiently than ever before. However, as we increasingly turn to digital formats to store our information, hackers are simultaneously devising more sophisticated means of gaining access. As a result, it is crucial that the financial sector works hard to avoid a potentially costly breach. Just this month, the UK retailer Debenhams announced that personal information belonging to 26,000 customers of its Flowers website had been accessed in a security breach. A third party ecommerce company called Ecomnova was targeted as part of the attack, which is likely to result in costly fines and damaged reputations for all involved.
Withstories of major data breaches on high profile corporations continuing to dominate the news agenda, it would be easy to assume that information security is only an issue for big businesses. In reality, the issue is much broader. Although often characterised as the work of large criminal gangs, incidents are more commonly caused by human error. For example, a former Jefferies banker was recently fined almost £40,000 for accidently disclosing confidential client information over mobile messaging service WhatsApp. This is astark reminder that the Financial Conduct Authority (FCA) takes the issue extremely seriously.
Working with large quantities of personal and financial consumer data, the financial sector is often targeted by hackers. It is therefore important to protect against both internal and external risks. A cyber attack is not only damaging for financial corporations, but also costly and stressful for their customers.
ISO certification is one area finance companies should explore; something we are already working towards at REaD Group. It is widely considered to be the ultimate indicator of information security, requiring organisations to complete rigorous audits and risk assessments. Part of the ISO information standard requires implementation of an information security management system (ISMS) to pro-actively manage company information so that it remains secure and ultimately reduce risk. We believe achieving this level of vigilance will both reduce the likelihood of a data breach and provide current and prospective clients with confidence in our ability to protect the information we work with.
So what else can companies do to avoid an embarrassing and potentially costly breach?
It may seem obvious, but companies often overlook the fact that employees cannot protect the information they work with unless they fully understand the risks involved. Educating staff is essential and making training interactive is a key requirement. This is a potentially dry topic, so delivering training in a creative way ensures employees are fully engaged and stand a better chance of retaining information.Practical exercises and interactive discussions are likely to result in the biggest change in behaviour and cultural shift
In today’s security conscious age, it is staggering that the most popular password of 2016 was ‘12345’, highlighting the need to advise employees on how to set secure passwords. I would suggest including a combination of numbers and letters, both upper and lower case. Passwords do not have to be limited to one word and often a short phrase is stronger. In addition,extending the length of passwords lowers the overall risk of a security breach;I would advise at least 20 characters as a required minimum. It is also important to ensure you have implemented a company wide password policy. It goes without saying that remembering a password is important, which means storing it in a safe place. This does not include post-it notes stuck to screens. Anyone who spots this on a colleague’s desk should be encouraged to remove it and in-line with ISO, raise it as an internal incident. This intern allows your information security team to understand where more education and training might be needed across your work force.
This brings me on to implementing a self-reviewing system. Encouraging staff to monitor each other’s behaviour adds a competitive element and is a good way to engage people in the subject. If someone has left their computer unlocked, has confidential information lying around on their desk or has not collected personal documents from the printer, other members of staff should be encouraged to give them a friendly reminder not to do so, and as above, these occurrences should be raised as an incident. A light hearted note is a great way to help staff break old habits and maintain this new office culture, which is often the most difficult step.
Consider adding a clause into your HR policy detailing specific disciplinary matters associated with an information security breach.All fun and games aside, employees should be made well aware just how seriously your business takes matters of data security.
Information security is no longer the sole responsibility of IT and compliance departments, as it previously has been. With employees dealing with ever increasing volumes of information, across multiple formats and devices, individual accountability is now paramount. Facilitating a cultural shift internally is perhaps the most challenging part of achieving this, but you’d be foolish not to make it a priority. After all, the biggest security threat to an organisation comes from within.