Cybercriminals have had a great year. In the first nine months of 2019, just under 5,200 data breaches were disclosed, resulting in over 7.9 billion records being exposed. For many companies, keeping your data — and your customer’s data — safe is a daily struggle.
It’s a struggle that financial institutions in particular face. Indeed, FIs are the target of 25% of all malware attacks. Furthermore, a breach for an FI is more likely to reveal sensitive identity information — a point illustrated by Capital One’s recent revelation that it fell victim to a data breach estimated to affect over one million people across the US and Canada.
The threat is real, and managing your exposure is critical. Yet while companies might feel confident in their own information security processes and procedures, internal security measures mean little unless their vendors’ security infrastructure is just as strong.
Three Core Tenets
Data breaches occur when there has been a failure to translate one or more of the core tenets of information security into effective action — which is easier said than done. When considering who to partner with, these core tenets should be at the top of your mind:
Guidance is provided through the International Organization for Standardization (ISO), which has designed the 27000 series, a set of best practices that companies can follow to ensure data security. The gold standard, ISO27001, provides guidance and controls to create an information security management system (ISMS) that helps defend against external attacks and internal threats. Following these best practices is pivotal to embedding information security principles and standards into a company’s
so that it flows from the executive level all the way down.
In addition, they help companies comply with a host of laws and regulatory requirements, including the high-profile General Data Protection Regulation (GDPR), which took effect in 2018, and California’s Consumer Privacy Act, which will take effect in 2020. Other state-level privacy laws are soon to follow, so being ISO27001-compliant will prove itself even more valuable in the coming years.
Confidential Information Stays Confidential
The unauthorized disclosure of information is often because a company’s security system has been misconfigured. Even vendors that opt for a shared security model with a company like Amazon Web Services (AWS), which provides world-class security for physical hardware, such as servers, are vulnerable to cloud security breaches. While AWS might provide a good foundation, companies still need to make sure their cloud-based offering is designed, built and maintained securely.
Access control is key. Only those who need to have access should have it. A standard process should be in place for determining who needs access to which systems. Removal, when necessary, should be swift and governed by a thorough internal audit process that can detect unnecessary access. When employees do sign in, especially remotely, the use of a VPN and multi-factor authentication provide additional layers of security.
Data Integrity Is Protected
Companies must ensure that their data — whether at rest or in transit — cannot be exploited. Using an encryption cipher like AES256, used by the US National Security Agency (NSA) to send confidential data, is the gold standard currently. However, ciphers are constantly being decoded and new ones created. The older the cipher, the less secure, so it’s important to stay up to date on the latest encryption standards.
Vulnerability scanning and penetration tests proactively detect weaknesses in the system, while regular patching ensures protection against already identified threats as they are uncovered. Criminal methods are constantly evolving. Criminals and information security professionals are engaged in a never-ending game of cat and mouse — one where those tasked with keeping data safe never seem to gain the upper hand for very long. Attacks on data keep getting more sophisticated. As such, information security teams must be proactive and think like an attacker to stay one step ahead. There’s no room for complacency.
Data Is Available When and Where Needed
Data may be “as important a commodity as oil” in today’s economy. But it’s also only as valuable as the ability to access and use it when necessary. Business is no longer confined to traditional office hours; companies need round-the-clock access to their data. Using a cloud environment and choosing a cloud-services provider like AWS guarantees near-perfect uptime measures.
Disaster can strike, however. Regular disaster recovery tests and daily backups of data are crucial to providing continuous service. Preserving those backups by keeping them with other cloud providers provides additional reassurance that service will not be interrupted. Data centers stationed worldwide help maintain business functions even when data centers are knocked offline, whether due to a security issue or natural disaster.
Security-Aware and Forward-Thinking
When choosing a vendor, you need one that proactively works to mitigate your supply chain risk — a concern we recognize all companies have. Investing in the right technology is critical, but security is still a human-driven pursuit that’s prone to error. The first line of defense is fostering a security-aware culture.
Scalability is just as critical. While data breaches are shining a spotlight on information security and privacy, biometric data is becoming more commonly collected and used in customer due diligence practices and financial crime detection. With an ever-growing stockpile of valuable identity information, financial institutions need a security solution that grows as they grow and can nimbly adapt to a changing security landscape as threats are detected and thwarted.
Read more on how ComplyAdvantage approaches security here.
Originally published December 5, 2019, updated November 18, 2021
Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.
Copyright © 2022 IVXS UK Limited (trading as ComplyAdvantage).