January 6, 2021
Published: The Accountant
Email is becoming more important than ever, especially with the rise in remote working. The potential to make an error when sending an email is common, whether it be sending to the wrong address or with the wrong attachment. Andrea Babbs, UK general manager at VIPRE, explains how financial services organisations can keep privileged information secure
Roughly 306.4 billion emails were sent and received each day in 2020, and with the figure expected to rise to over 361.6 billion in 2024, the potential to make a mistake –with potentially disastrous consequences – is rising.
Should information end up in the wrong hands, financial services institutions could be especially vulnerable. The industry deals with highly sensitive information, including fiscal transactions and financial data, which could result in notable losses of money. And cybercriminals prey on these kinds of email.
Organisations spend an average of $3.85m recovering from security incidents, with the usual time to identify and contain a breach being 280 days, the Ponemon Institute has found. According to a Crypsis report, the financial services industry was subject to the second-highest number of cyberincidents of all industries, behind healthcare, with the highest number of business email compromise attacks in 2019.
And while external threats seem to make the headlines, such as the Capital One incident, unintentional breaches do not always garner as much attention. Yet, they can be as dangerous as each other. In fact, human errors are almost twice as likely to result in confirmed data disclosure.
There is no doubt that costs vary depending on the scale of the breach, but at a minimum there will be financial repercussions, and costs for auditors to understand why the incident happened and what additional protocols and solutions need to be implemented to prevent it from happening again. There could also be huge costs in reimbursing affected customers.
It is not just financial penalties and costs that organisations have to worry about: the reputation of a financial services business is essential in order to maintain a customer base. Those that fail to protect customers’ sensitive information will have to manage the negative press and mistrust from existing and potential customers that could seriously affect the organisation as a whole.
In such a highly competitive market, it does not take much for customers to take their money elsewhere – customer service is everything. A direct and stratified cybersecurity approach is fundamental to minimise risk and secure private information in the financial services sector. Three key factors must be considered:
1. Data loss prevention (DLP)
A firm would be able to implement security measures for the detection, control and prevention of risky email-sending behaviours through DLP solutions.
It is only humans that can truly decide between what is safe to send and what is not: technical solutions such as machine learning can only go so far to prevent breaches. In practice, machine learning will either stop everything from being sent – becoming more of a nuisance than support – or it will stop nothing. DLP solutions do not delay the working practices of users, but instead, give them a critical second chance to double check when selecting the right email recipient.
Users can be prompted based on specific parameters – for example, colleagues in different departments exchanging confidential documents with each other and external suppliers means the To and CC fields are likely to have multiple recipients in them. The tool gives users a chance to check the accuracy of recipients and contents of attachments where a simple incorrect email address or a cleverly disguised spoofed email would likely be missed. This alert can be the critical factor in cybersecurity efforts.
2. Verification and encryption
Security protocols are designed to prevent most instances of unauthorised interception and email spoofing where, for example, hackers may try to attack systems directly or intercept emails via an insecure transport link. Adding a dedicated email to email encryption service to your email security suite increases your protection in this area. However, it is important to remember that encryption and authentication do not safeguard against human errors and misdeliveries.
3. Strategy and education
Cybersecurity awareness training is important for businesses to enable the success of security guidelines and rules regarding the circulation and storage of sensitive financial information. Employees should be trained when joining an organisation, and then enrolled into an ongoing programme with quarterly or monthly short, informative sessions.
Training should incorporate ongoing phishing simulations, as well as simulated phishing attacks, to demonstrate how incidents can appear and educate them on how to spot and flag them accordingly.
Reinforcing security messaging, while reminding employees regularly of the risks involved and working in tandem with simulated phishing attacks, ensures that everyone is capable of spotting a scam and knows how to handle sensitive information.
Organisations can reduce the risk involved when sending corporate and financial emails by taking a dynamic approach to cybersecurity. With a stratified system consisting of awareness training, verification tools and DLP solutions, organisations can be confident in their workplace’s security.
Cybercriminals see financial services organisations as a key target, and this desire for hackers to get hold of personal information and financial transitions will never diminish. This means financial institutions should ensure that cybersecurity is a priority by frequently evaluating risks, deploying innovative solutions, and training employees in order to provide the best possible protection.