The danger of client churn, loss of competitive advantage, loss of profitability and legal implications for financial organizations that experience a cybersecurity incident is material.
Data leaks stories are more and more at the front page of newspapers:
“In 2019 a data leakage impacting BlackRock, has exposed names, email addresses and other information of about 20,000 advisers who are clients of the asset manager, including 12,000 at LPL Financial, the lar gest independent broker-dealer.”
“An employee of the Korea Credit Bureau secretly copied databases containing customer details in 2014. Identification numbers, credit card numbers, and addresses were stolen from 20 million victims, which represented a whopping 40% of South Korea’s entire population at the time.”
“In 2008, a former employee of Countrywide Financial Corp. was arrested for allegedly stealing and selling customer information on the company’s 2 million mortgage loan applicants. The rogue ex-employee downloaded the customer data in installments, stealing around 20,000 customer records per week for two years”
The list is long and only public when it concerns personal data. Business data leaks are not often disclosed.
This highlights the weaknesses of the systems of financial institutions, weaknesses pointed out by some studies.
“Only 5% of companies’ folders are properly protected, on average.” (Varonis)
“34% of data breaches involved internal actors.” (Verizon)
“53% of companies had over 1,000 sensitive files open to every employee.” (Varonis)
To successfully fight against malicious intent, it is imperative that companies make cybersecurity awareness and prevention best practices a part of their culture.
Data security involves several solutions that must be combined to ensure an optimal level of protection. This involves knowing what are the most important data for the organization (data classification), knowing where it is located (data discovery), protecting it (ex. Encryption, access control), preventing its leakage (DLP), etc.
Within this set of tools and processes, DLP solution is used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP tool classifies confidential and business critical data and tracks violations.
To ensure the security of your data, a DLP tool is a must. The implementation of such a tool is performed in close collaboration with the business and through an approach that can proceed in the following steps.
Identifying sensitive data across the organization is a key first step to build a robust framework. Sensitive data are spread across the organization from front to back office and across all functions.
These data can be confidential or even secret. They may be specific to each unit and require unique processing depending on the teams. The overall objective is to protect the latter with protective measures but allowing the continuity of the business.
The design of the rules must be very precise in order to unequivocally identifying the targeted data. DLP tools rely on detection capabilities using keywords, regular expressions, meta data, document format … which apply to any data output.
Our DLP projects show six best practices.
Timely projects help protect your critical data. For example, our experience shows that in 3 months, it is possible to identify the most sensitive data (more than 80 data) and produce DLP rules to protect the most essential elements (30 DLP rules).
The collaborative involvement of HeadLink (https://headlink.ailancy.com/) and Beijaflore (https://www.beijaflore.com/fr/expertise/cyber-risk-security/) is a key enabler for DLP project, offering a combination of Front to Back business knowledge and Cyber Security expertise.