The recent Sony Pictures data breach, in which hackers stole massive amounts of employee and corporate information, may be getting the limelight, but it’s not the only one — or even the latest in a long string of data thefts, hacks and breaches.
Last month, Morgan Stanley experienced its own startling data breach:
“Last summer, a newly minted Morgan Stanley financial adviser named Galen Marsh started to sift through the account records of some 350,000 of the firm’s clients. Virtually none of them were his own.
By December, some of that account information appeared on a text-sharing website, with the offer to trade it for an obscure virtual currency.” –Wall Street Journal
Photo used under a CC license from Flickr user David Bleasdale.
Morgan Stanley is already tightening its internal IT security to prevent individual financial advisors from accessing huge amounts of data, but the breach demonstrates that even large companies with lots of resources can fall victim to obvious gaps in security.
No one likes to think that their systems and networks are vulnerable to attack. But given the potential consequences of an attack — bad PR, lost revenue, crippled systems, angry customers — it’s worth facing the risk head on.
Here are three steps you can take in 2015 to add additional data security protections for your financial services organization.
1. Be aware of today’s threat areas
Every corporation will have its own set of data security areas of threat, risks, and gaps. Morgan Stanley’s was clearly internal; however, yours may be more in line with that of many banks and other financial organizations today – insecure mobility.
2. Take a hard look at mobile security
For example, one new study by the Associated Chambers of Commerce of India says that the increasing use of mobile devices and apps in financial services is increasing risk and data insecurity as well.
“Smartphone users rarely check for security certificates and download apps and other software from third party or unsecured sites, it said.
‘Mobile banking apps store data such as PIN, account number on the phone. So, there is a risk that if the phone is hacked or stolen, then the information is compromised,’ the report said.
Mobile frauds are an area for concern not just for individuals but corporates (sic) as well, with 35-40 per cent of financial transactions done via mobile devices. The percentage of transactions on the platform are expected to go up to 55-60 per cent in 2015, the industry body added.”
This piece from InformationWeek’s WallStreet & Technology lists five requirements that financial services firms must meet to ensure an appropriate level of mobile security:
- Secure network communication
- Secure local data storage
- Protection against malware
- Secure authentication
- Remote disablement
3. Balance customer needs with security
However, locking down your apps so much they’re a pain for consumers to use or giving up on mobility entirely isn’t the answer.
Finextra says that as banks “strike a balance between integrating customized retail banking services and ensuring the protection of customer data, they should be keeping a few key P’s in mind:” personalization, permissioning, provisioning, and participation.
That means that banks must find a way to balance asking for customers’ personally identifiable information, or PII, with ways to improve security. Those methods might include tightening controls on both data at rest and data in motion, enabling two-factor authentication, and/or customer education campaigns to – for example – prevent them from responding to phishing attacks via SMS.
Is your firm meeting all five requirements above? Do you have any 2015 resolutions regarding data security, particularly for mobility? Let us know in the comments.