Why you need to be a good data custodian

Golden coin icon

As mathematician Clive Humby famously said, “Data is the new oil”. Across all areas of UK business, advancements in technology are creating opportunities for cyber-criminals, and one of the most rewarding targets seems to be the financial services sector.

Firms have certain ethical responsibilities to protect their customers’ data. Regardless of their current position, businesses need to win the trust of their customers by being better data custodians, this can be achieved by improving and taking steps to raise awareness of the importance of cyber-security and using technology to transact with customers in a secure environment.

Whilst bank robberies are old news, cyber-crime is a growing risk for banks, building societies and other financial services firms. In 2018, the number of data breaches reported to the Financial Conduct Authority (FCA) by financial services firms increased by 480% in comparison to the previous year. This might be partially explained by the introduction of GDPR legislation last May, which encourages organisations to be proactive in identifying and reporting cyber-attacks. However, it also stresses that cyber-crime is a real threat and businesses need to urgently address it.

The prevalence of cloud computing and mobile devices has grown in recent years, opening new opportunities for cyber-criminals who are looking to intercept and exploit confidential information, this is likely to increase as emerging technologies continue to develop such as crypto-currencies. However, technological innovations can also provide financial services firms with necessary tools to fight against cyber-crime.

Key pitfall you dont want to be caught up in

A comon mistake made by organisations when handling personal data is failing to do basic transactions with clients in a secure environment. Many large companies, including some high street lenders, surprisingly still use unsecured email to communicate sensitive information, such as National Insurance numbers and bank account details with their customers. In cybersecurity terms, this is like displaying the information on a billboard for anyone to see.

A Secure alternative

Client portals can offer an effective solution to this problem; providing a single and secure digital environment to communicate with customers and share sensitive information. Encrypting data and using other forms of online security such as certification, these systems can protect data that is ‘in transit’ (in the process of being sent) and data ‘at rest’ (which has arrived and is being stored on a disk), giving customers a single access point for communicating with advisors and other services.

Everyone needs to be hands on

However firms must not view data security as only an IT issue. To become truly effective in protecting customers’ data, businesses must take steps to develop their employee’s awareness of cyber-security to strengthen of the entire workforce. A key part of this focus should be on educating staff about what constitutes personally identifiable information (PII) and encouraging employees to put themselves in the shoes of cyber-criminals, so that they understand how easy it is to undermine data security. Considering what information a cyber-criminal would deem most valuable, and what type of information most people would be comfortable writing on a postcard is a good way to think about this. It could also be useful to think about different data combinations, which could present a risk if they fall into the wrong hands. For example, displaying details such as a person’s date of birth, alongside their children’s names or favourite football team on a company’s website or social media feeds, could make it easier for a cybercriminal to access their personal data through a targeted attack (called spear phishing).

A thorough understanding and up-to-date knowledge of GDPR legislation, as well as clarity about each employee’s responsibilities as a data handler, are key to combatting cybercrime. It is also important that a comprehensive training programme for all levels of staff is put in place, with more in-depth content for those that deal with sensitive employee and client data. Finally, enforcing policies around data-handling best practice, and establishing effective control systems are a necessity to ensure staff are complying, and that potential data breaches can be identified at an early stage.

Data security is high on the agenda for most financial services firms, and many have an existing cybersecurity strategy in place. However, it’s important for organisations to remember that more can always be done. By observing the battle against cyber-crime as ongoing, and constantly looking for ways to strengthen processes against potential attacks, firms can foster long-term, trusting client relationships and protect their reputations.

Posted in Blog, Technology