With the increased proliferation and reliance on public cloud solutions, combined with the recent high-profile data breaches that have occurred in the past few months, cybersecurity should be a top concern for both issuers and retailers who handle sensitive financial data.
However, a recent report issued by the Ponemon Institute revealed that only 51% of IT executives say that protecting data is a high priority within their companies, despite nearly three quarters of those surveyed saying their companies suffered a data breach in the past year. While IT departments see the need, they do not appreciate that available protections can be realized in ways that are compatible with company operations and their need to maintain flexibility and, of course, profitability.
Its evident that security has grown beyond brick and mortar protections against in-person fraud and theft, to more sophisticated and complex electronic security schemes. With this increased sophistication, comes a need for organizations to not ignore the problem of cybersecurity but to add and constantly improve protective measures.
But where does one start when addressing this need for security?
Regular audits are a good start. Customer-directed electronic payments, facilitated by cloud-based solutions, are becoming the new norm, with an estimated six-fold growth over the next few years. Mobile payments for online purchases alone are predicted to skyrocket from $18 billion worldwide in 2012 to $117 billion by 2017, according to a study by WorldPay. As financial data enters the cloud and increasing numbers of third parties access sensitive documents to verify and process customer and payment information, one necessity becomes apparent: There should be auditable records of this informationgetting into granular detail as to whom, when, where and how each record continuing this data is being accessed and managed.
Best practices dictate that auditing and audit-reporting functionality should be built into cloud solutions to not just report the use and exposure of confidential data and documents, but also allow for alerts of anomalies.
Staying ahead of the gameconducting regular internal audits and catching any glitches before they become major issuesis a more dependable way to ensure an organization is complying with internal policies as well as regulatory requirements.
A second step is awareness of insider threats. A common misconception of many organizations is that security breaches are caused by external parties. However, more often than not, most data compromises are inside jobs, mostly famously demonstrated by Edward Snowdens last days at the National Security Agency. And while external stakeholders pose risk, internal stakeholders can pose even more damage, with immediate access to all confidential documents and sensitive data.
Thus best practices for the well-run organizations are to be aware of, and be imaginative about, insider threats. Despite the high levels of trust within your organization, the most significant data breaches are just not going to come from the careless employee. They will occur at the hands of the malicious invitee into the corporate network. Focusing on areas such as access and privacy controls, aberrant behavior screens, and other approaches that guard against security threatsnot just at the firewall but at the folder, file, document, and content levelsare required by the most expedient security policies and compliance measures. Only when an organization guards against both internal and external threats with targeted precision can it be sure that it is passing the threshold into acceptable risks.
Another important step is choosing the right security technology. As cyber-attacks become more sophisticated, security technology has also become more advanced. With an assortment of software and other tools to choose from, organizations need to ensure the basics are in place. These must-have technology features should include anti-virus and anti-malware, firewalls, e-mail and web content filtering, encryption, folder and file level permissions, group permissions, document rights management, dual or even multi-factor identify authentication, and security information management systems.
For example, data encryption is also pivotal when sharing confidential financial information. Whether in transit, in use or at rest, in an appropriately secured operation, data should be encrypted at rest and certainly before it enters the cloud. Identity and contents should be protected by appropriate operator and administrator shielding. Likewise, passwords should be complex in natureone of the more basic, yet most overlooked, preventative measures.
Organizations also need to consistently monitor electronic management systems. We will eventually get to a point where electronic management systems are no longer an option, but mandatory to ensure effective and secure workflow. Until then, organizations who do not have such a system in place should strongly consider implementing one, in order to streamline workflow processes, increase productivity, and have full transparency into where electronic documents such as pay stubs, statements, and bills are being stored and when or how versions are being altered.
For organizations that already have an electronic management system in place, consistent monitoring is key to spotting suspicious behavior before it becomes a threat. Along with regular check-ins, IT management should also issue and distribute an electronic monitoring data report to their senior team, so all departments are aware of documents being stored, altered or deleted from the system.
With these steps in hand, an organization is well on its way to implementing secure best practices. However, its important to note that cybersecurity is a continuous cycle of offensive moves being countered by defense. As threats become more sophisticated, and technological advancements such as mobile wallets and e-payments gain traction with consumers, enterprises must continually revisit their security measures to ensure theyre up to par with standards, and essentially, hack-proof. This is easier said than done, but not unattainable when equipped with the right technology, consistent monitoring, regular reporting and a transparent team.
William OBrien is the chief operating officer of Brainloop, a provider of secure solutions for enterprise-wide storage and exchange of confidential information.