Are financial services protecting customer data throughout the entire lifecycle?
Consumer trust is a major challenge in today’s digital age, where cyber-crime escalates in volume and increases in sophistication every year. Financial services are a primary target for criminals.
Of total records leaked in 2019, more than 60% were exposed by financial services firms Securitymagazine.com
This, coupled with the enforcement of data privacy legislation, such as the EU General Data Protection Regulations (GDPR), has seen financial services companies up their investment in securing personal information while it’s in their care.
Organizations in the UK have to adhere to the GDPR if they do business with anyone in the European Economic Area. This means having appropriate technical and organizational measures in order to process personal data securely.
The definition of ‘processing’ includes any and all of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and distribution.
Protecting personal data: Where does an organization’s responsibility end?
Once personal information has been distributed to the customer in whatever form, it could be argued that the company’s responsibility ends there.
However, the GDPR is clear that an organization’s obligations in terms of protecting the data privacy of consumers in their care extends to securing personal information throughout its lifecycle.
Through the concept of ‘data protection by design and by default’, the regulations state that organizations must “integrate or ‘bake in’ data protection into processing activities and business practices – from the design stage, right throughout the lifecycle.”
If the customer’s personal devices are not secured, there is still a risk that one gets hacked or stolen and confidential information provided by the organization finds its way into the public eye, or worse, gets exploited for the purposes of a crime.
It may not be a breach of the company’s information security, however, its reputation may still be tarnished, regardless of whether the blame is misdirected.
How criminals target end-users’ devices
While it’s vital that companies do everything possible to secure personal data throughout the entire lifecycle, the reality is that cyber-criminals keep getting smarter.
This results in new and more sophisticated ways of attack. Here are some examples:
1. Mobile phone theft
Millions of smartphones are stolen each year. Despite the massive amount of data that can be accessed from a smartphone, they are often overlooked as a device that needs protection.
It’s not only the phone hardware that criminals want for the resale value, it’s also the data on the device that can be harvested and sold multiple times on the black market.
2. Phishing by email
With 4.4-billion email users worldwide, and 124.5-billion business emails sent per day, email is still a lucrative channel for criminals.
Customers are still falling victim to fraudulent email messages that appear to come from banks and other legitimate companies.
These messages are designed to extract personal and financial information (e.g. passwords, usernames, social security numbers, credit card numbers, etc.) that can then be used for fraud.
Another way to attack customers by email is to trick them into opening an attachment or clicking on a link that contains malware.
Malware is a broad term that refers to a variety of malicious programs that, once installed on a victim’s machine, proceed to harvest data, infiltrate available networks or delete files and directories.
According to Kaspersky Labs, 85% of web threats in 2019 were malicious URLs, making the risk of a customer unwittingly clicking on a URL an ever-present threat to data protection.
Encryption and education are key
Encrypting and protecting important customer documents, such as financial statements and insurance policies, is vital. This ensures that even once a customer has received or downloaded a document onto their smartphone or laptop, the information cannot be easily accessed if the device is stolen or hacked.
Educating customers is another powerful way to mitigate risky behavior and help protect personal information.
Customer education on cyber-risks is not a once-off exercise. It requires consistent and regular messaging to explain security threats, reinforce the right behavior and minimize risk.
Education campaigns should inform customers about what they can expect to receive in an email from the organization, as well as what will never be requested by email – such as a request for a pin number, or security login or credit card details.
It is also prudent to involve customers in maintaining a secure data lifecycle by asking them to report emails where your brand is being impersonated. It’s vital to have a clear process for anyone to report a scam to your security team for further investigation.