What is happening in the Financial Sector?
Data protection has always been one of the biggest priorities in the financial sector. Companies of all sizes protect their sensitive data against leakage.
The field has been changing recently due to digital transformations and various data security threats. With new technologies and data processing, data can leak without being noticed. The consequences of such leakages can be unpleasant. So it is even more important for organizations to protect their data.
No matter whether data leaks via email, communication platforms, databases, IT systems, or portable devices, the leak can cause damage. A data leak is a major challenge for organizations to face. Companies can lose payment information, business secrets, and strategic and accounting plans, and the stock market value can drop. Data loss might be considered a violation of regulations, and authorities may issue high fines. This also means high costs for the company, brand damage, and potential loss of customers or employees.
Luckily, for every problem there is a solution! In this e-book you will find out how to protect data in the financial sector.
Let’s start!
Sensitive data in Financial Institutions
Financial data is any information related to a financial account or transaction. These include:
- Cardholder data
- Payment transaction data
- Customer account number
- Credit card number
- Sales data
- Purchase history
- Credit information
- Credit rating data
- Credentials
- Personal and private information
Do not forget about other sensitive data that your company might have, such as strategic plans, business plans, acquisitions information, and various personal data about your employees, customers, or contractors.
What is Data Loss?
How Companies Produce Data:
Business data is any information that is relevant for running a company. Companies gather data from various sources and channels, and they do so via different software or AI.
What is Data Flow?
Data flow is the movement of your company’s data throughout your systems. Data can flow via both software and hardware and can be changed during the process of moving. Different employees and teams have access to data at specific points in the data flow. They can change data, provide data to other departments or vendors, or even delete data.
Data can be found and moved via the following channels (both official and unofficial):
Data can leak at any moment, and every stage of the data flow can be risky in terms of data protection.
What are the Threats to Data Security?
External threats
- Malware
- Phishing campaigns
- DDoS attacks
- Ransomware
The number of cyber-attacks continues to increase, so companies need to protect their data with even more care. Data protection is the only way to keep data safe, and to protect it against theft or encryption, which are used in order to blackmail companies or sold on the dark web.
Internal threats
- An email sent to the wrong address
- A lost or stolen device
- Former employee taking client lists
- Clicking on a phishing campaign
The latest studies have shown that up to 95% of data leaks are caused by insiders. Insider threats are on the rise due to digital workspaces, flexible and remote work, and agile and BYOD approaches. Most of these leaks and threats are unintentional – 56% were caused by negligent employees.
It is crucial for organizations to have a tool that can prevent data leaks. At Safetica we have seen that when your DLP is properly set, your data is protected against insider threats,”
Radim Trávníček, CISO in Safetica.
What are the Consequences of Data Leaks?
Data leaks might cause real damage to an organization. No matter whether the data is in an email, or through communications platforms, databases, IT systems, or portable devices. Leaks are always a huge challenge.
Data losses can cause
- Brand damage
- Loss of business secrets
- Decrease the value of company stock
- Regulation violations and fines from authorities
- Customer churn
Data breaches in Financial Institutions in Numbers
On average, a financial services employee has access to nearly 11 million files the day they walk in the door. For large organizations, employees have access to 20 million files (Varonis).
GDPR Regulations that Financial Institutions Must Comply With PCI DSS
There are plenty of regulations and laws that companies must follow. Some of them are local and apply only in the countries where the organization is based, others have global reach. Two most important regulations that financial institutions must comply with are GDPR and PCI DSS.
GDPR stands for General Data Protection Regulation. GDPR is a European Union protection regulation that came into force on May 25, 2018. It applies to all organizations that process the personal data of EU residents. This means that companies in the EU and abroad are affected. GDPR is the strictest and most complex personal data protection regulation in the world.
The purpose of GDPR:
The purpose of the General Data Protection Regulation is to protect people’s privacy. Therefore, companies are obliged to protect the personal data of EU citizens and cannot process it or sell it to any third party without their consent.
Personal Data:
GDPR considers personal data to be any information that can directly or indirectly lead to an identified or identifiable natural person, such as:
- Employee personal data, information about customers
- Non-public personal data of business partners and providers
- Personal data that is transferred to and processed by third parties
- Images and sound recordings
- Encrypted data
Penalties:
In the event of a GDPR violation, there are two types of fines that a company may be obliged to pay.
- The lower level is up to 10 million euros, or 2% of the worldwide annual revenue from the previous year, depending on which is higher. Violations connected with record-keeping, data security, etc.
- The upper level is up to 20 million euros, or 4% of the worldwide total revenue from the previous fiscal year, depending on which is higher. These fines are usually issued for violations relating to data protection principles, the legal basis for processing, the prohibition of processing sensitive data, denial of data subjects’ rights, or data transfer to non-EU countries.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI-DSS was first introduced in the USA in December 2004. The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
The purpose of PCI DSS:
The Payment Card Industry Data Security Standard (PCI DSS, or PCI for short) is a set of rules and processes that are designed to protect cardholders‘ sensitive data from fraud and data breaches. Basically, it tells merchants how to handle their customers‘ credit card information securely and safely so it doesn’t fall into the wrong hands.
Cardholder Data:
The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:
- Cardholder name
- Expiration date
- Security code
- Sensitive authentication data (magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs).
Penalties:
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.
- The lower level is up to 10 million euros, or 2% of the worldwide annual revenue from the previous year, depending on which is higher. Violations connected with record-keeping, data security, etc.
- The upper level is up to 20 million euros, or 4% of the worldwide total revenue from the previous fiscal year, depending on which is higher. These fines are usually issued for violations relating to data protection principles, the legal basis for processing, the prohibition of processing sensitive data, denial of data subjects’ rights, or data transfer to non-EU countries.
How Can you Protect your Data with Safetica?
Perform security audits and have an overview of your sensitive data
It is important to know where your sensitive data is stored, how your employees process such data, and how it is shared with external parties. When your data processing is secured, the risk of data leakage is reduced.
Safetica performs data security audits and provides a detailed overview of sensitive or financial data flow and storage. Once you have discovered all the weak points in your data security, Safetica then allows you to set DLP policies accordingly.
Set your DLP policies – notify, restrict, and raise awareness of data security
With Safetica you can create security policies based on your needs. What should happen if an employee is about to do a potentially risky operation? Choose from these scenarios:
- Notify the employee about the possible risks and let them decide whether they want to proceed.
- Notify the employee about the possible risks and block the operation.
- Restrict operations that you find risky.
When you choose to use notifications, you also educate your employees about data security.
What if there is a data breach anyway?
If you experience a data breach, it is critical to be informed immediately, so you can react and minimize the consequences.
Safetica offers a customizable real-time alert system. Based on the alerts and detailed logs, you can report the incident to the data protection authorities in time and provide them with any necessary documentation.
If you feel like it will take too much time to set up your DLP solution, don’t worry. Safetica also offers templates for DLP policies that are really simple to use, which will free you up for other work.
Safetica provides two types of solutions for data loss prevention
Safetica is easy to implement, integrate, and use. Our solution doesn’t create extra hassle for employees or the IT department. Automation of security policies and integration with your IT stack help you protect your assets even in complex environments. Safetica secures data on all endpoints, all devices, all major operating systems (Windows, macOS), and the cloud, perimeters and internal zones.
Cloud-native DLP solution as a service
designed for companies that do not have in-house infrastructure. Thanks to pre-configured settings and automatic reports you only need a few hours per week to manage the solution. Safetica NXT offers monthly or annual pay-as-you-go subscriptions. The basic subscription includes 30 users. Subscriptions can be cancelled at any time.
Protects data against insider threats and data leakage.
Safetica ONE is an on-prem solution and helps you to predict data leaks based on an analysis of user behavior. The solution can be integrated with your IT stack, and you can easily protect data in your enterprise environment. Safetica ONE protects all endpoints, devices, operating systems, cloud, perimeters, and internal zones.
who we are
Safetica is a Czech software company that provides Data Loss Prevention and Insider Threat Protection solutions to organizations of all shapes and sizes. Here at Safetica, we believe everyone deserves to know that their data is safe.
