Your customers are a security risk
Financial services firms accounted for only 6% of the total data breaches in 2019. Yet, 60% of records leaked that year came from financial services breaches. This illustrates both the risk and the responsibility faced by financial services firms. Are they doing enough to keep customers’ data secure?
Personal data is the new gold. And cybercriminals spend an enormous amount of time and effort to steal this valuable resource.
For financial services firms, the risk lies not only in their own systems. Their partners and downstream providers also process their customers’ data. Providers like printing companies. Or couriers.
1.7 million Nedbank customers’ personal data were exposed by a printing company in February. The breach exposed names, ID numbers, and physical/email addresses. Fortunately, no account details were stolen, and the criminals did not gain access to any of Nedbank’s systems through the incident, the bank said in a statement.
The lesson here is that organizations need to interrogate the level of security in place in their partners’ systems. They need to ensure their customers’ data remains secure, wherever it sits in the value chain.
If need be, request a security audit. Having a contract that places responsibility on your supplier will mean nothing when your customers blame you for allowing their data to be stolen.
Striata Security Overview
Understanding Striata Security - mitigating risks of an ever-changing cyber landscape and ensuring data privacy law and regulation compliancy.
Do your customers know how to protect their own data?
Beyond third-party providers, the biggest threat to customers’ personal data is customers. Companies cannot assume that a customer’s device is secure, or even that the customer is aware of how to protect their own data.
The UK’s National Cyber Security Centre study, released last April, did an analysis of breached account passwords globally. The study showed that ‘123456’ was used in 23.2m incidents, followed by ‘123456789’ (7.7m) and ‘qwerty’ (3.8m). This should tell organizations everything they need to know about how informed consumers are about cybersecurity.
Companies sending personal information to customers need to provide proper security for mobile apps (including two-factor authentication), encrypt documents that are emailed, and protect information that is available online.
Ongoing consumer education is key
A key factor – as the UK NCSC study shows – is ongoing consumer education. Use your regular customer communications to send personalized, relevant information to help your customers help you to keep their data secure.
For example – a customer gets a new phone and downloads your mobile app. This gives you an opportunity to send them an email congratulating them on their new purchase and provide hints and tips on how to get the best out of their device. Things like:
- Set your phone screen to auto-lock
- Set a secure PIN
- Install antivirus software
- Encrypt your device
- Use two-factor authentication on all apps and portals that will let you do so
- Activate biometrics
Likewise, educate your customers on what you will and will not ask them to do. Assure them that you will never ask them to share their password or PIN, ever! Not in an email, nor over the phone, for example.
Explain to them that keeping their password safe doesn’t only mean not sharing it with someone else – it also means not writing it down, telling it to someone verbally, or using it on a public WiFi network.
Give specific examples that are relevant to their lives, so that they can link the advice to the risky behavior. For example, don’t just say: ‘beware of phishing emails’. Rather, outline that an email asking them to urgently reset their account otherwise it will be closed, is not legitimate because you will never ask them to do that.
Organizations need to consider if they are doing enough to ensure the customer data they share is adequately secured – even on their customers’ devices.
Cybercrime is not a problem with a single solution. It’s an ongoing threat that needs to be mitigated using tactics and strategies that evolve as the threat landscape does.