In the U.S. alone, around 9.4 million consumers were affected by data breaches against financial companies in 2022. The financial sector had the second highest number of incidents globally, second only behind the government.
For financial companies, the challenge of securing data, particularly in cloud environments, is compounded by the fact that these businesses ingest enormous volumes of unstandardized data from partners. Security and data governance teams lack full visibility into where data is stored and how it is secured.
We spoke with Noam Perel, director of technical success, Laminar, a security, privacy and governance provider focused on the cloud, about some of the top security and compliance challenges that organizations in the financial services industry face and how they can overcome them. What are some of the trends that have hindered the financial sector’s ability to keep data secure in the last several years?
Financial companies are expected to give customers immediate access to information — which typically requires them to rely on multiple cloud applications to maintain the highest levels of speed and accessibility. While this trend for convenience and engaging experiences certainly may appear as a win for the customer on the outside, internally, most financial companies are still behind the eight ball when it comes to understanding the complexities this creates for data security teams.
In order to maintain the highest levels of speed and accessibility, financial companies can’t just hold onto data and keep it stored in a well-hidden, well-kept silo — it has to be out there to a certain degree. This proliferation of data, increasing adoption of cloud data storage technologies across multiple cloud providers, death of the traditional security perimeter and accessibility of data increases the overall risk of sensitive data being overexposed. Financial companies are also expected to have a faster rate of change for release cycles to meet customer demand, and overburdened security teams just cannot keep track. All of these factors combined have led to the ‘innovation attack surface.’ A new threat vector that organizations across all industries accept as the cost of doing business. I believe that the innovation attack surface has hindered the financial sector’s ability to keep data secure over the last few years.
Why is data security so challenging for financial companies? How does compliance also come into play?
It might not be that data security is “more challenging” for financial companies, as much as it is the fact that each institution has to consider a variety of compliance regulations for each region while making data accessible. For example, I might be a European with an American Bank, and now I am trying to access data back in Europe….what is happening there in terms of compliance? How can data security professionals continue making it accessible, while keeping track of it and ensuring it complies with all international compliance regulations?
Plus, financial sectors also have a lot of in-house analysts that perform processing and other similar actions on data making it really hard to:
Tackle the variance of data
Understand where data was copied and how it was changed — and if it was appropriately anonymized or encrypted
Keep track of who has has access to those copies
It’s been shown that, on average, financial companies take 233 days to detect and contain a data breach, only second to healthcare. Because of this, it’s even more critical for financial companies to prioritize data security by investing in tools that leave absolutely no blind spots. After all, blindspots don’t just cause a security risk — they are often signs of violations in compliance regulations as well. You can’t protect data, or make sure it is in line with current data compliance standards, if you don’t know what it is or where it is.
What are the common gaps financial institutions can fill to protect themselves?
Many financial companies have “shadow data,” which are data assets in the cloud, including managed data, application logs and caches, credentials, developer secrets, etc. that were created, moved and altered without involvement or controls from IT and security. In financial services, shadow data can lead to costly vulnerabilities. This is the most common gap and first step data security teams should take — gain visibility for all data across the entire cloud estate. Once they have visibility (which is a huge task), data security professionals can then make sure that the data is in its secure place and processed and accessed in a way that is transparent to security and governance teams. Then, and only then, can the organization properly address data hygiene, security risk management, access governance, and compliance.
How do you see data security in the financial sector evolving in the next year?
Data security and compliance professionals are going to increasingly rely on agile cloud data security. As a result, organizations will ultimately have more agility and control over data, a reduction in the innovation attack surface, transform the role of security teams from gatekeepers to business enablers, and secure support for the daily activities of value creators such as developers and data scientists. ###