The financial services industry is by no means immune to data breaches. In 2014 alone, British financial services firms were investigated 585 times for data privacy breaches. Data Protection Act (DPA) breach investigations within the industry have more than doubled in the past two years, as revealed by a recent freedom of information request to the Information Commissioner’s Office (ICO).
UK’s major banks risk losing customer confidence and market share, paying hefty fines and suffering disruption to critical business operations in the wake of a data breach. Financial services firms are a very attractive target for malicious criminals, but they also risk unintentionally losing data through human error.
The Ponemon Institute’s ‘2015 Cost of Data Breach Study: United Kingdom’, revealed that the average total cost of a data breach for a UK company was £2.37 million and that costs in the financial industry were higher than those in other industries.
Responding to a data breach is a very complex situation that requires extensive planning and coordination. It’s important to develop a strategy before the event rather than scramble around while damage is being done. Organisations must tackle data security on all fronts: looking inwards at information management practices and policies as well as investing in technology. A lot of firms just buy tool after tool thinking they are secure. It is never the case.
Here are five proactive steps financial services firms can take before a breach occurs for their responses to be more effective.
1. Develop and test an incident response plan
Financial services organisations are losing the battle against data breaches – attackers typically compromise their targets within hours or days, but these attacks can take weeks to detect and months to resolve. Hence, it is crucial to have an effective incident response plan in place before a cyber-attack hits. Companies that have a plan can identify, contain and eradicate the breach exponentially faster than those without one.
I strongly advise financial organisations to bring in an external consulting firm when developing a computer security incident response plan (CSIRP). A team of incident response experts, who have seen hundreds or thousands of breaches, can help you build a comprehensive strategy. They can also avoid some of the common mistakes other victims in the financial industry have made.
Additionally, testing your CSIRP ahead of an incident will help to identify which sections of the plan are strong and work as intended, and which sections are lacking and need modification. After you have remediated the discrepancies identified during the initial test, test the plan again and again to enhance your incident response capabilities.
2. Apply information governance practices
Information governance is knowing what type of data you have, where it resides, who interacts with it, how and where that data travels to and how it gets there. To put it bluntly, it you don’t know this about your data, how can you protect it?
One of the first questions an investigator asks is ‘Where was the stolen data taken from and how much was stolen?’ Knowing the original location, the location of all copies, plus who has access to it, is critical in being able to put an effective investigation plan in place and starting the process of data reduction.
A lack of information governance within an organisation represents a critical flaw in its ability to respond efficiently to a data breach. Knowing where your data is will help an investigation team triage an incident and rapidly reduce the amount of data and systems they have to look at.
If, for example, your confidential data suddenly showed up on Pastebin (a web application where users can store plain text) and you knew it lived on server X, it would be logical to assume server X was involved in the breach and should be included in the scope of the investigation. If you had no idea which system that data came from, the scope of the breach analysis would get larger, and use time and resources that instead could have been used responding to the breach.
3. Improve logging and retention
Investigating a data breach without log files is like following a set of footprints in a blizzard. Without logs, there is no evidence of initial intruder access into the target environment, movement from the point of entry and exfiltration of stolen data. You may be able to examine the last few days or weeks of the incident, but normally, nothing beyond that stored on the local system. This is a big problem, since most breaches occur months before evidence of their existence surfaces. By that time, the logs required to identify what took place and when are long gone.
Log files or audit trail retention is also a requirement in a number of governance, risk and compliance (GRC) regimes and important for compliance. Log files also ensure that when a breach takes place you have the mechanisms in place to give investigators the information they need to do their jobs.
4. Understand your breach disclosure responsibilities
There is currently no legal obligation for financial services firms to report breaches of security which result in loss, release or corruption of personal data. Current UK legislation only obliges providers of public electronic communication services to report if they suffer a data security breach.
However, the Information Commissioner believes serious breaches should be brought to the attention of his Office and all data controllers have a responsibility under the DPA to ensure appropriate and proportionate security of the personal data they hold.
The ICO has the power to issue monetary penalties of up to £500,000 for serious breaches of the DPA, regardless of company sector, and has historically reserved its largest fines for organisations which have suffered data security breaches. However the rules will become much tighter if the proposed EU General Data Protection Regulation goes ahead, which is looking more and more likely to come into place later this year.
Organisations conducting business overseas must also take note of requirements in each country where they operate or their customers reside. Some key points of focus include customer notification by country; law enforcement notification; which law enforcement agency has jurisdiction; differences in disclosure for information about adults and children; and what data types (and in what combinations) require notification. For example, if you have clients in the United States, you’ll need to learn and adhere to 47 different state breach disclosure notification laws
5. Perform goal-oriented penetration testing
A penetration gauges an organisation’s ability to withstand a cyber-attack. It determines, given a set of configurations, the degree to which an intruder can gain access to a target environment, move around, access company sensitive data, and move it to a system controlled by the attacker. Logically, this test should mirror real-world attack vectors as closely as possible.
However, many companies engage penetration testing services that are simply exercises in ticking boxes for compliance. For example, they tend to run checks only during business hours and only on specifically designated systems. In reality, hackers will come at you when you are most vulnerable.
What is worse, this situation has clouded the definition of what a penetration test is and why you need one. Penetration tests should combine technology and human interaction simultaneously. There is no such thing as a fully automated pentest, just as there is no such thing as a fully automated cyber-attack. Too much automation in a pentest creates an unrealistic scenario and gives the test recipient a false sense of security. Companies that engage in realistic penetration testing are substantially better positioned to defend themselves against attacks
It’s time to fight back
Cybercrime is becoming an increasingly important consideration for financial services firms. Recent breaches have brought to light the inadequacy of current defensive strategies. Despite the vast sums of money spent on hardware, software and regulatory compliance, breaches continue to occur. Financial services firms must start to operate under the assumption that they have already been breached or that they are actively being targeted, and begin planning their response strategy accordingly.
Stuart Clarke is the director of cybersecurity and investigations services at Nuix. Stuart is an experienced digital forensic, information security and e-Discovery consultant. During his career he has provided expert evidence in civil and criminal courts and across different jurisdictions and have delivered on projects across the globe, providing innovative solutions to deal with challenging situations. He holds a First Class Honours degree in Computer Forensics from Northumbria University and developed and delivered training for an MSc program.