Most of the time, when we think of financial data, we think about banks, credit unions, and other financial institutions. However, any business that retains customer information such as purchase history, credit card details, and payment history is dealing with financial data.
Companies often find it daunting to secure financial data. But this is an unavoidable job, and one that is imperative to avoid the costs and reputation damage that result from a data breach.
Importance of Securing Financial Data
Did you know that in any given year, there are at least 130 large-scale hacking attacks that happen in the United States? And it’s not just small and medium businesses. In fact, over the years, we have seen a lot of multinational corporations that are getting victimized. For instance, in 2016, Uber disclosed that personally identifiable information and financial data were stolen by hackers.
What’s more, these attacks are costly to detect and fight. In 2017, companies had to spend an average of $11.7 million to combat hackers. But beyond the costs of recovering from a data breach, it’s your reputation that takes a bigger hit.
Imagine if a breach on your systems was successful and the hackers were able to steal your customers’ credit card details. These customers may end up with fraudulent charges on their credit cards, which can result in a financial crisis for some consumers – which could have been avoided with better data security. It is understandable if those consumers get mad and decide to give their business to your competitor.
Best Practices for Companies That Handle Financial Data
Fortunately, there are best practices to help you when it comes to securing financial data and other sensitive information. While following every guideline and best practice perfectly doesn’t guarantee that your company is immune to sophisticated attacks, it certainly makes it far less likely – and, when you follow regulatory requirements, you’ll avoid costly fines and penalties for non-compliance should an attack occur.
1) Make the Payment Card Industry Data Security Standards 2.0 your cheat sheet.
There are a lot of things that the Payment Card Industry Data Security Standards 2.0 can teach you when it comes to securing financial data. PCI DSS 2.0 is a set of requirements that every business should have if they process credit and debit cards for payments.
The PCI DDS requires businesses to:
- Have a firewall that would protect cardholder information.
- Change vendor-supplied defaults when it comes to passwords and configurations.
- Protect whatever cardholder data is stored in the system.
- Encrypt data when moving across public and open networks.
- Use anti-virus software and other similar programs.
- Create, design, and maintain secure applications and systems.
- Restrict all access to cardholder data, making sure that only those who need to know will be able to see the information.
- Give everybody who can access cardholder information with a unique ID.
- Regularly monitor and track all access to cardholder data and your network.
- Test your security systems, protocols, and processes regularly.
- Create and implement a security policy that covers all cardholder data and include everyone who is tasked to work with the information.
These restrictions should not be limited to the online space. You should also restrict physical access to financial data.
2) Step back and take charge of cybersecurity in general.
Aside from PCI DSS, there are also other standards that you should take note of and learn from. PCI DSS is focused on securing cardholder data. In order to quickly implement it, you must have strong cybersecurity policies and processes in place.
Fortunately, there are several frameworks that you can follow to develop comprehensive plans and sound policies. For instance, you have the National Institute of Standards and Technology’s Cybersecurity Framework, guidelines which will help you secure your system and data that you store in it.
The NIST CSF categorizes everything into five functions.
This function forces you to know what your cybersecurity risks are depending on your resources, data, assets, and capabilities. It involves asset management, business environment, governance, risk assessment, and risk management.
You cannot protect something that you do not know you have, or something that you don’t think is worth protecting. This step will give you an overview of what you have, what risks you are facing, and how you can protect your resources.
This function involves developing and implementing safeguards that will ensure that critical infrastructure are preserved and that you can access these any time you want.
This includes processes such as access control, awareness and training, data security, information protection, maintenance, and protective technologies and solutions.
This function involves the identification of cybersecurity events as they happen. Your system should be able to detect anomalies and events. You should also be able to monitor your assets and resources continuously. Furthermore, you should test and maintain your detection procedures to ensure that you know when your system is under attack before it becomes an even bigger problem.
This function answers the question of what you need to do in the event that you have a cybersecurity attack. It includes response planning and communication, analysis, mitigation, and improvement.
In this step, you will need to come up with a plan on how to address or fight attacks, and let all stakeholders know about the plan. In the event of an actual cybersecurity attack, you should be able to contain the threat as soon as possible and mitigate its effects.
Your work doesn’t stop there. You should also incorporate whatever you’ve learned from mitigating attacks to make sure that it does not happen again, or to see if there are better, more effective ways to handle it.
After your experience from an attack, it is important that you have a plan detailing how your systems can recover from the cybersecurity event.
A matter of compliance
Aside from these standards, there are also other laws and regulations that you should know and comply with. These are:
- Critical infrastructure protection
- ISO/IEC 27001
- Control Objectives for Information and Related Technologies
- NIST Special Publication 800-53: “Security and Privacy Controls for Federal Information Systems and Organizations.”
- Cyber Risk Quantification
- General Data Protection Regulation
3) Be mindful of how you dispose of your electronic records.
An interesting offshoot of the financial scandals and corporate misdeeds during the late 1990s and the early 2000s is the passage of the Sarbanes-Oxley Act. Otherwise known as SOX, the act laid down how long business records, including financial data, should be stored by an entity. Ultimately, SOX dictated how and when you can delete records.
Of course, SOX compliance requires businesses to keep accurate financial data, as well as protect it against loss. Best practices for SOX compliance include the use of data classification tools that are context-aware.
It’s not enough to just implement policies for securing financial data; you should also conduct an audit of your systems. A security audit is a good way to know if there are loopholes in your policy or weak links in your security framework.
Some industries, such as banking and financial institutions, are required by law to have annual audits in order to comply with the Gramm-Leach-Bliley Act. Even if your business is not required to do so, it is best practice to insist on a yearly audit conducted by auditors with real security experience.
With a security audit, you’re getting a set of fresh eyes to examine your system, policies, and software. They might discover security vulnerabilities on your network, and they might even do some penetration testing and white-hat hacking. This will let you know if there are vulnerabilities that you missed.
The second most valuable part of an annual audit is the report. If you got a good auditor, the report will tell you a lot of things that you may have overlooked, such as:
- Possible sources of threats, which internal users and outsiders are most likely to cause you problems.
- Security vulnerabilities and how likely these are going to be exploited.
- The impact and scale of exposure. In the event that these holes are breached, how is it going to impact your organization and operations?
- Potential liabilities with the law.
- Service interruption risks.
The report should also include recommended courses of action and suggestions on how to fix security holes.
5) Guard against phishing and other forms of social engineering.
Most of the time, hackers and cybercriminals go low-tech. They can trick an employee into giving up their password, allowing criminals to access your system without you knowing. Phishing is very common, and hackers have been getting more and more creative.
Every day, new forms of phishing and ransomware attacks are being reported. Most of the time, antimalware and antivirus software are not going to help that much. Since the hackers are able to get into your system using legitimate login credentials, they can easily go through every file in your system without you noticing they are there.
There are a lot of suggestions on how to stop phishing attacks. However, the most effective step is to educate your employees about phishing and social engineering, how to spot such an attack, and what to do in case they fall victim to it.
Other Best Practices to Consider
On top of the regulatory requirements and best practices discussed above, there are also some other things to keep in mind.
- Protect financial data. If you are going to store financial information, then it is always best to encrypt your data.
- Yes, you’re still liable. If you are using a third-party service or database to store financial data, you still need to work on data security. You do not get to blame the third party company if the financial data is breached.
- Install the best anti-malware and anti-virus programs that you can find. It might not do a lot when it comes to phishing and social engineering, but for everything else, these programs are very valuable in helping you detect and stop an attack.
Today, banking and financial services institutions are far from the only companies that handle financial data. As more companies spanning more industries handle sensitive financial data than ever before, it’s imperative for all companies to get up to speed on data security and implement best practices to protect not only their consumers, but also their brand reputation.