Finance is one of the most heavily regulated sectors when it comes to privacy and data protection. Due to the highly sensitive nature of the data, financial institutions collect and process, specialized legislation like the Sarbanes-Oxley Act (SOX) and the Gramm-Leach-Bliley Act (GLBA) was enforced in the US, while standards such as the Payment Card Industry Data Security Standard (PCI DSS) were adopted worldwide to protect cardholder data. In the EU, the General Data Protection Regulation (GDPR) also applies to financial information as it can be used to identify individuals.
Because of all this, many financial institutions already have complex cybersecurity frameworks in place. These include strict security policies such as the use of antivirus software and firewalls, access to data on a need-to-know basis, and the protection of sensitive data. In this last category, Data Loss Prevention (DLP) solutions, focusing directly on sensitive data rather than company networks or work devices, have emerged as essential tools in the data protection arsenal.
Protecting sensitive information from internal threats
When it comes to data breaches, our instinct is to think of headline-grabbing cyberattacks perpetrated by malicious outsiders. However, according to the Cost of a Data Breach report 2020 released by IBM and the Ponemon Institute, they account for only 52% of all data breaches. The third biggest root cause of data breaches is in fact employees themselves, accounting for 23% of data breaches. However, employees are also responsible for 24% of malicious attacks, with 7% intentionally initiating an attack and a further 17% falling victims to phishing and social engineering attacks.
And while training that teaches employees how to identify threats and deal with them may help reduce these numbers, a moment of neglect is all that’s standing between a financial institution and a serious data breach. The problem with internal threats is that companies cannot limit employee access to sensitive data when it is needed to perform their daily tasks. The solution, offered through DLP, is to focus not on the user or device, but the sensitive data itself.
Through predefined policies for financial and personal information, along with the possibility to customize them to fit a company’s particular niche, DLP solutions allow financial institutions to monitor and control sensitive data. They can limit or block its transfer outside of the company network, but also search for it through data stored locally on work computers. In this way, organizations can prevent employees from transferring data through unsecure third-party services such as messaging apps, file-sharing services, or virtual storage spaces or from archiving it on their hard drives.
Knowing where data is and how it is being used
Data transparency is an important part of any comprehensive cybersecurity framework. Financial Institutions must know how data is collected, processed, and used by employees while performing their duties. By gaining knowledge of their data flow, financial institutions can identify vulnerabilities in their policies and potential threats to data security.
DLP solutions help companies monitor sensitive data throughout their entire network, flagging any attempts to violate data protection policies and producing reports to support future decision making. Extensive monitoring of sensitive data means not only that financial institutions can build more efficient data protection strategies focusing on identified risks, but they can also discover potential malicious insiders attempting to steal data or employees that might require additional data security training.
Through monitoring, financial institutions can also discover the most frequently attempted policy violations and search for their root cause. They can then address them through training or the adoption of authorized tools that employees might need to perform their tasks.
Protecting data on the move
The great fallacy of traditional cybersecurity frameworks is that they secure sensitive data and employee computers only while the devices and the data are safe in the office or connected to the company network. Once an employee takes a device home or travels with it for business reasons, the data on it becomes vulnerable. This became an especially relevant point during the last year when many financial institutions were forced to take their business operations remotely due to the COVID-19 pandemic.
DLP solutions, when applied on the endpoint, can ensure continued protection for sensitive data, no matter where a device is located. Whether at home or in the office, connected to the company network, a personal WiFi connection, or not connected to the internet at all, DLP data protection policies will continue to be applied, ensuring uninterrupted protection, an important compliance requirement.
Supporting auditing efforts
DLP monitoring and logging features enable companies to keep detailed records of all sensitive data transfers. This is particularly useful for compliance reasons as most data protection laws require organizations to prove that they have taken adequate measures to protect data from leaks or theft. DLP solutions can thus support auditing efforts for compliance through generated logs and reports.