Posts Tagged :

Andrea Babbs

How financial organisations can stay protected from financial data breaches 

960 640 Guest Blog

Email is a crucial function of business communication, which many organisations strongly rely upon. But as the pandemic brought a new world of remote and hybrid working, it’s arguably more important than ever to keep both individuals and organisations connected – wherever they may be.

A staggering 333.2 billion emails are sent and received daily – but in turn, it’s inevitable that typos can occur or the wrong attachments are sent to the wrong person. However, whilst innocent mistakes can happen, the consequences could be much more devastating.

The consequences of sending an incorrect email within the financial industry, in particular, could be drastic – both in terms of a firm’s reputation and legal penalties. Within an industry that deals with sensitive and valuable information, it’s vital that financial organisations prioritise keeping their confidential data secure, explains Andrea Babbs, UK General Manager, VIPRE…

At What Cost?

IBM’s latest Data Breach Report revealed that 2021 had the highest average data breach costs in seventeen years, rising from $3.86 million in 2020 to $4.24 million. Particularly within the financial services industry, research indicates that cybercrime is more prevalent in this sector compared to any other. Both external and insider breaches are equally as dangerous, but human errors are almost twice as likely to result in data disclosure.

For example, if human errors occur in the financial services when sending internal emails, such as including the wrong individuals in CC, or attaching the wrong document, this can cause serious issues as it may be perceived as ‘Insider Trading.’ If two departments are working for two directly competitive clients, and accidentally share non-public, material information about one another, this could put either team and/or client at an unfair advantage by having this insight.

Depending on the size of the breach will determine the size of the cost. However, at a minimum, there will be penalties. Not only could there be a financial loss for the organisation, but companies will have to pay for audits to understand what happened, and what protocols need to be put in place to prevent further attacks, as well as compensating customers who were affected by the breach.

Additionally, the aftermath of a data breach is far worse than just financial loss. Businesses in the finance sector have reputations to uphold in order to preserve a loyal customer base, especially in such a demanding and competitive market. Yet, failing to protect sensitive customer information can result in negative press, which can, in turn, make existing and potential customers apprehensive about an organisation. This can potentially result in them taking their business, and money, elsewhere.

Strategy Checklist

A layered cybersecurity strategy is key in any industry in order to mitigate cyber threats and keep sensitive information secure. However, within the financial sector, it’s more important than ever as the stakes are much higher. When considering a cybersecurity strategy, three components should be considered:

  1. Encryption and Authentication: Security protocols are designed to prevent a majority of instances of unauthorised interception, email spoofing and content modification. When a hacker is attempting to infiltrate a company, they may try to intercept emails via transport links or attack systems directly. Whilst encryption services do not protect businesses against human error, including them in your email security strategy will help to protect companies from hackers intercepting emails.
  2. Training and Guidelines: It is essential that businesses put in place strong security rules and guidelines concerning the movement and storage of sensitive financial information. This should also provide clear guidance on the steps employees should take if a security incident occurs.  Additionally, when employees first join an organisation, they should take part in cyber security awareness training. However, this should be an ongoing programme to ensure that all employees understand the role they play in keeping their organisation safe. As part of this training, automated phishing simulations should be included to demonstrate how these threats can appear in order for the user to identify them, and act appropriately. Following this training, key metrics and reports can be provided on how the users are improving, or where more education is needed. By fortifying key security messages across the workplace, combined with simulated phishing attacks, continuous training ensures that individuals are able to identify potential attacks, whilst providing them with the necessary skills to handle the risks.
  3. DLP (Data Loss Prevention): It is crucial for businesses, especially financial firms, to deploy security measures for the detection and prevention of potential email threats, both internally and externally. Humans play a key role in deciding what is safe to send, and what is not – but DLP solutions can support this process by providing the necessary alerts. For example, colleagues exchanging confidential documents across different areas of the business means that the CC fields are likely to have multiple recipients in them. An incorrect email address is likely to be overlooked without a tool in place to highlight this error to the user, and instead, provides them with the opportunity to double-check the accuracy of the email recipients and attachments.  Supporting staff with a crucial second chance helps to raise awareness and understanding of existing email threats, and provides that essential security lock-step – before it’s too late.

Conclusion

Email will remain an essential platform for communication, but will continue to be a high-risk tool for businesses and employees to communicate both internally and externally. And, particularly for financial service organisations, as they remain a prime target for cyber hackers given the temptation to access personal information and financial transactions. Therefore, the finance industry must prioritise cyber security and invest in a layered approach, which must include security awareness training and data loss prevention tools, in order to minimise human error and provide the strongest possible defence in the modern security landscape.

Cybersecurity: The crucial double check 

918 612 Stuart O'Brien

Cybersecurity has quickly become the world’s fastest growing form of criminal activity, and is showing no sign of slowing down with the number of attacks on businesses continuing to increase. COVID-19 has acted as a catalyst for this, with hackers taking advantage of remote workers during challenging times.

Despite innovations and sophistication in hacking methods, one of the main means of data loss is insiders, including employees making mistakes. Humans make errors – stressed, distracted employees will make even more mistakes. And with sensitive information on the line, such as regulatory compliance to safeguarding Intellectual Property (IP), companies are increasingly concerned about the risk of inadvertent data loss. But how can this threat be mitigated?

Andrea Babbs, UK General Manager, VIPRE SafeSend, emphasises the importance of implementing a crucial double check to improve email security culture…

Human Error 

Business reliance on email is creating a very significant cyber security risk – and not simply due to the increasing volume and sophistication of phishing and ransomware attacks. Given the sheer volume of emails sent and received a day (over 300 billion every day in 2020), mistakes are inevitable. Employees are trusted with company-sensitive information and assets, and many are permitted to make financial transactions – often without requiring additional approval. Furthermore, with strict data protection requirements in place, not only GDPR, but also industry specific regulations, organisations clearly require robust processes to mitigate the risk of inadvertent data loss.

According to reports, 34% of all breaches are caused by insider fault, yet many employees are unaware of their responsibility when it comes to data protection. Should confidential corporate information fall into the wrong hands, the consequences could be devastating, including financial penalties, loss of trust and competitors gaining an advantage. BitMEX, one of the world’s largest cryptocurrency trading platforms accidentally leaked thousands of private customer email addresses when they sent out a mass mailshot without using the BCC function. But how could this mistake be stopped? What employees need is a way to better manage their email functions, with an opportunity for potential mistakes to be flagged before an individual hits send, for example showing who is in the to, cc and bcc fields.

Additional Layers 

Few organisations have a clear strategy for helping their employees understand how a simple error can put the company at significant risk; even fewer have a strategy for mitigating that risk and protecting their staff from becoming an insider threat. But more importantly, what they may not be aware of is that there is a solution available that can add a layer of employee security awareness.

Businesses can help employees avoid simple mistakes, such as misaddressed emails, by providing a simple safety check, which alerts users to confirm both the identity of the addressee(s) and, if relevant, any attachments. The solution can be configured to work on a department or user basis, for example, a business may not want HR to be able to mistakenly send sensitive personal information to anyone internally and therefore require a confirmation for all emails.

In addition to confirming email addresses and attachment(s), the technology can also check for keywords within the email content using Data Loss Prevention rules, and each business can set its own requirements and parameters determined by corporate security protocols. Any emails, including attachments containing these keywords, will be flagged, requiring an extra process of validity before they are sent without impeding working practices, and providing users with a chance to double check whether the data should be shared with the recipient(s).

The Essential ‘Pause’ Moment 

Deploying an essential tool that prompts for a second check and warns when a mistake is about to be made helps organisations mitigate the risk of accidental error, and the potentially devastating consequences that might have on the business. Accidentally CCing a customer, rather than the similarly named colleague, will be avoided because the customer’s domain will not be on the allow list and therefore automatically highlighted. This is more crucial than ever before with employees dispersed across a range of locations as part of hybrid working. Such tools can support mixed operating system environments and DLP add-ons can be given to certain departments and groups who handle very sensitive information such as employee or legal data.

This type of tool is key for companies and reinforces a security culture, building on education and training, with a valuable solution that helps users avoid the common email mistakes that are inevitable when people are distracted, tired or stressed. It provides an essential ‘pause’ moment, enabling individuals to feel confident that emails have been sent to the right people and with the right attachments.

In addition to checking the validity of outbound and inbound email addresses and attachments, it can also support in minimising the risk of staff falling foul of a phishing attack. For example, an email that purports to come from inside the company, but actually has a cleverly disguised similar domain name, such as receiving an email from V1PRE, as opposed to VIPRE. The technology will automatically flag that email when the user replies showing that it is not from an allowed domain, enabling the user to cancel send and avoid falling for the phishing attack.

Conclusion

Email is arguably the key productivity tool in most working environments today, placing much of the responsibility for secure use of that tool on employees. But supporting staff with an extra prompt for them to double check they aren’t mistakenly sharing confidential data helps to raise awareness, understanding and provides that essential security lock-step – before it’s too late. The premise is not to add time or delay in the day to day management of email; it is about fostering an attitude of awareness and care in an area where a mistake is easily made

No organisation is immune to human error, but by having a clear strategy in place to address the issue of misaddressed emails and data loss through emails, as well as mitigating the associated risks helps businesses to remain compliant and secure. It’s all about increasing awareness and improving email culture where mistakes can so easily be made, while reinforcing compliance credentials.