Rick Goud, Co-Founder & CIO, Zivver
In recent years, a wave of cyber attacks, data breaches and leaks have pursued businesses in the financial sector. A report from the NCSC found that 39% of UK-based businesses had a cybersecurity breach or attack in the last 12 months, with the average cost of a cyber attack on a business being £13,400. For firms in the financial services sharing hyper-sensitive data, the potential fallout from a data breach or leak can be even worse.
When strategising for data loss prevention in email, the focus for IT leaders traditionally remains on incoming and malicious attacks, leaving finance organisations open to the leading cause of data incidents. According to ICO reports, these are most commonly non-cyber related issues.
The global shift to remote and hybrid working has seen businesses move en masse to cloud services, remote access tools and collaboration apps. The way we work has fundamentally changed, and our reliance on digital communications, including email, is greater than ever. However, in the rush to implement these tools, companies may have overlooked security challenges, configured their settings incorrectly or used free tools with questionable security features. Due to this, as digital communication links have rapidly developed in the last year, so too have the number of vulnerabilities that cyber criminals can exploit. To close these gaps, the financial services industry need solutions which combine secure technology with watertight email practices.
Employees have adapted to working from home; however, with our days busier than ever, it’s inevitable that, occasionally, mistakes will happen.
Did you know that most email users are sending around 30-40 emails a day? Now think about the fact that the wealth management sector in particular deals with extremely confidential, high-profile and/or high net worth proceedings. Those 30-40 emails could contain information relating to a client’s savings, investments, income, and financial commitments.
Securing outbound communications
Every financial institution needs secure methods of sending emails and transferring files to customers or other contacts, even if they rely heavily on customer portals. Whether it’s a bank sending out statements to clients, an insurance company offering online consultations, or a notary sharing documents with other parties for an estate transaction, companies everywhere are increasing their use of digital communication channels.
But built-in security of email platforms fails to deliver sufficient protection against these ‘outbound’ email-borne security breaches. Likewise, many employees do not know how to recognise emails sent with malicious intent and take action, opening new opportunities for inbound threats missed up by the platforms’ shields and filters.
High-value fraud attempts via business email compromise (BEC) continue to make it through O365’s native security solutions, leaving firms more exposed to data breaches. These organisations often hold as much personal information, corporate data, customer information and financial data as banking institutions, despite having smaller budgets or a smaller headcount on their security teams to ensure their digital perimeters are secure. In fact, research revealed only 31 percent of smaller family offices had implemented cyber security measures, versus 60 percent of larger operations.
The fact is that most of today’s security solutions focus on threat protection and are built to keep ‘inbound’ risks – malware, phishing attacks, and spam – at bay, as these are consistently viewed as the biggest risks to email security. But when it comes to misdirected emails (reported by The ICO as the number one non-cyber security incident faced by businesses in the finance, insurance, and credit sectors) it is clear that data loss via human error or more insidious insider threats are security risks that are consistently overlooked.
It’s not enough to focus solely on inbound threats and keep the attackers from coming in; businesses need to ensure they prevent sensitive data being accidentally or maliciously sent out. But why aren’t existing email security solutions doing this?
Popular email service providers may have outbound email filtering rules – but these are often too rigid to adapt to evolving ways of working, and often depend heavily on IT teams having to constantly update and configure them.
Financial institutions will always remain a prime target for cybercriminals, in part because of the massive amounts of personal identifiable information stored in their databases. At the same time, threats evolve, that’s why firms everywhere should review their data security protocols and, where necessary, invest in effective tools to ensure that sensitive information can be safeguarded at all times.
