Businesses’ role in cyber security and threat prevention

Cyber Security Heading into the Future
There is a massive cyber threat that the world of finance is currently facing and responsibility for monitoring and eliminating that threat rests on the shoulders of businesses, for the sake of their clients’ and their of livelihoods. The financial service company sector is targeted more than any other industry, as attacks against them account for over a quarter of cyberattacks. Many a financial service company has had its monitoring and prevention efforts overpowered by a varied range of sophisticated attacks, such as fraudulent transfers, social engineering attacks, power theft, DDS attacks, and ATM theft.

Such a level or security risk has propelled these financial institutions to take a new approach to security risks that extends far beyond monitoring and arming against criminals. Rather than waiting around to risk a criminal stealing sensitive information and focusing on traditional security measures and prevention, financial cyber security is now shifting its security strategy toward a proactive data security model. Major organizations like Visa and Chase are welcoming white-hat cybersecurity activity to test how robust their security systems are. Meanwhile, on their own part, financial institutions are storing fake accounts and fake sensitive information for cybersecurity so that criminals have a hard time actually recognizing legitimate sensitive information. Some of these financial institutions provide open access to readily available data and resources deceitfully so that criminals will download their software or data. In turn, the financial service organization hacks these evil doers’ networks itself, attacks them, and sometimes install tracking devices on criminals’ computers that allow it to determine their location. Indeed, Congress has passed a cybersecurity law that allows security hacking activity in self-defense. Some banks send text message confirmations for customers to use as their PIN codes rather than using the same pin every time. 

Customers Taking Threat Prevention into Their Own Hands
On their part, many financial service company clients are electing to have their cards remotely controlled so that they can destroy them for security purposes in the event they are stolen. Furthermore, heading into the future, a financial service company will have a new opportunity to protect it from a cyber threat and stay quicker than the criminals – quantum computing, which processes operations at a lightning fast speed. This will be used to monitor and mitigate risk in managing people’s identities, power expenditure monitoring, ownership transfers, authentication of payments, insider threat monitoring, web services, and much more at a higher level of security.

Personally Identifiable Information (PII)
Personally identifiable information (PII) was a concept that began with cable television services and originally prohibited cable companies from giving out customer data that wasn’t in the pubic domain. The rise of the Internet, however, changed that interpretation by storing absolutely all user data and user activity records somewhere online. Thus, every business that processes financial information and similar sensitive data online is now obligated to use the services of cyber specialists. The Internet is a giant space that criminals can capitalize on for detection of websites’ vulnerabilities where they can take advantage of user activity and  gain access to data like never before. This has necessitated particularly stringent data security laws worldwide. Although companies and websites are allowed to use some public information, such as cookies for user preferences on websites and Google’s use of search history and user activity from particular IP addresses to render ads more relevant, it is illegal for this data to be used to determine that person’s actual identity. The legal definition of personally identifiable information (PII) varies greatly based on the region and jurisdiction and is subjective to a degree and based on courts’ discretion; however, it includes data like the individual’s name, address, social security number, place of work, profession, financial information, credit card number, medical information, etc. If such information were to become available to a criminal as a result of user activity, it could entail the theft of the customers sensitive financial information, in which case the business would be held liable and often is the sudden downfall of many previously successful companies.

Learn more about personal data protection

Data Protection Laws Around the World
Not only must online financial activities be subject to stringent monitoring of financial security practices within one’s own region, but in nearly every case, businesses will have to monitor all worldwide data security standards due to the fact that their resources and websites are being visited by users all over the globe. While some jurisdictions have rather lax laws on data security risks, other regions are far more stringent about preventing these cybersecurity risks. Anyone dealing with visitors’ personal or financial information must follow each of the laws of their users’ governments. The United States, where online data security monitoring is regulated on the state level, features some rather limited data security laws. For instance, Massachusetts has a peculiar data security law that defines personally identifiable information (PII) as a person’s first and last name or first initial and last name in combination with the individual’s credit card number, bank account number, social security number, or driver’s license number. Meanwhile, it is not the possession of this information that is illegal, but rather the provision and abuse of it.

Meanwhile, for European users, all online companies must monitor and stay updated on the much more demanding GDPR, the General Data Protection Regulation, which asserts regulatory compliance of all data belonging to users living in the EU. A central cybersecurity theme of the regulatory compliance there is that users have to grant access to data explicitly rather than it being implied. In order for cookie notification activity to be enabled on users’ computers, a user must click to opt in. Furthermore, the website must have a cookie policy and link it for the user to be able to read in addition to a privacy policy. At any time, if a user wishes to have any of his or her information deleted from any online resource, he or she has the right to request the information be deleted and the website’s compliance will be required by law. 

To monitor that their information security practices are up to the standard in terms of preventing risk and unwanted access prevention, websites are highly recommended to use an SSL, a Secure Sockets Layer, which is a standard security technology for encrypting the link between the client and the server to protect from risk. Financial merchants are advised to only use e-mail services encrypted with an SSL and avoid storing user data except when absolutely necessary. No consent is assumed for users in this region and all boxes much be ticked independently and individually. All payment gateways’ and chat activity policies must cover the GDPR. In the event of a data leak or that the law is violated, a company can be fined up to 20 million euros or 4% of its yearly revenue. And if a user’s sensitive information becomes hacked, the company will be required to inform the user within 3 days.

One of the ways to ensure compliance is to know what data you store, where it is located and who uses it

The GDPR’s Influence in Cyber Security Monitoring
The GDPR has resonated globally for its strides in threat prevention and may serve as a role model for the rest of the world in terms of monitoring threats. California stepped up and passed a law of its own, the California Consumer Privacy Act, or the CCPA. Regulatory compliance requires that any user in California be informed of all the information a company is storing on them upon request in addition to the third parties it’s sharing access to it with in addition to the ability to sue them if their information privacy is violated, undue access is provided, or a threat comes to fruition. If a company is not in compliance with the CCPA and fails to properly ensure threat security, it will be fined $7,500 per instance.

The Card Data Security Standard PCI DSS
Despite the risk of financial scams and the growing threat posed to financial activities on the Internet, the Payment Security Report determined that 47.5% of organizations do not monitor compliance with all security standards to properly prevent threats. Owing to such concerns, financial service organization collaboration by Visa, Mastercard, JCB, Discover, and American Express has given rise to the payment card industry data security standard (PCI DSS), which is designed to monitor and enhance the security of payment card industry data as well as accelerate global adoption of uniform data security monitoring standards. In the event that a service provider or vendor’s compliance is insufficient, it bears the risk of a financial service organization or middleman no longer accepting card transactions with it as well as the risk of a fine. Compliance with the security standard PCI DSS is obligatory for any outfit that accepts online transactions (for card industry data security) to avoid threats. Organizations risk heftier financial service organization requirements according to their size and the number of customers it handles. Each payment brand has its own compliance program based on its own individual risk evaluation under the umbrella of the data security standard (PCI).

Data Security Standard (PCI) Measures
Thus, the data security standard (PCI) requires a range of activities to ensure privacy, ascertain that data are secure, and monitor threats. Companies are recommended to use a firewall to protect consumers’ payment card industry data and other sensitive data, keep their software and programs up to date and well maintained, encrypt credit card payments, stay on guard for vulnerabilities as the industry data security standard indicates, restrict physical access to cardholder data, assign a number to visiting users, install software to detect and erase threats, and test their networks regularly. There are auditing services available that can audit one’s compliance with the industry data security standard and the necessity to submit a card industry data security audit from an qualified security assessor, who can conduct threat vulnerability and DSS threat penetration testing as well as insider threat vulnerability detection. If the company passes these tests successfully, the accredited audit organization will issue a formal DSS confirmation of whether the PCI DSS is in full compliance.

Threat Detection and Preventing Data Loss 
As much of a risk as cyber criminal activity poses and as justified are our efforts are to detect trojan horse attacks, detect SQL injection attacks, detect eavesdropping attacks, detect cyber crimeware attacks, detect cyber birthday attacks, detect virus attacks, detect MITM attacks (man-in-the-middle attack detection), and detect cyber worm attacks, the truth is there is another risk in detection and data loss prevention which much be accounted for – that of the insider threat, particularly when it comes to the financial loss risks. In fact, the participation of an insider is precisely how the majority of revenue is lost in fraud situations, affecting half of companies on an annual basis nationwide. Often this happens because an employee was duped by social engineering activity – any form of a range of tactics used to trick an insider. These activities frequently take the form of impersonation of authoritative government agencies or positions like one of the company’s high up executives asking the employee to provide data or financial information. It can also be a social network asking the individual to log in or a fake copy of the company’s portal used to acquire the employee’s credentials. This risk can be mitigated by keeping sensitive data in an external hard drive as well as setting up an automatic data transmission filtering program based on the type of data that is transmitted. An external drive can also be used to back up sensitive data in the event that the internal data gets lost or destroyed. Since an external drive typically lasts 3-5 years, it’s recommended to back up the data on the external drive as well to prevent losing them.
Insider Risks: Protecting Yourself from Malicious Insiders

Of course, there are countless financial insider threat incidents in which opportunistic insiders with access to certain operations take advantage every year. Some employees give false financial data regarding spending and in fact pocket the money or use it for personal purchases. Not-for-profit organizations are notorious for insiders engaging in fraudulent activities who have access to or are responsible for monitoring donated funds.

Make sure suspicious activity isn't overlooked - launch automated investigation

Data Loss Prevention and Detection of Company Risks
Aside from financial incidents, an insider threat may also be a disgruntled insider who potentially attempts to sabotage the company. This may entail the threat of a data leak incident, the threat of the insider selling access to internal data, or the threat of an insider with profound access sabotaging its operations. A common way that a data loss incident or a sensitive data leak is prevented is by only providing insiders access to internal data based on role authorization, for instance, by only allowing insiders access to internal data or information on a need-to-know basis (specialized access) and keeping insiders as informed as possible on policy compliance and receiving statements from them that they understand and will comply with. A data non-disclosure agreement is a must for employees handling sensitive information. Another benefit of having an external drive is to prevent the threat that rogue insiders will have accidental access to the data on it and thus abuse it or leak it. Third-party threat detection and data loss prevention organizations offer services that research and analyze employee access, the most significant risks within a particular company, and the latest data and financial incident threats that a company’s internal system faces, including threats it will likely face in the future.

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.