84% of financial services firms are not prepared for upcoming data protection reform
London - July 2016 - Figures released today by Egress Software Technologies, a leading provider of data security services, demonstrate an overwhelming number of CIOs from financial services firms are not prepared for the EU General Data Protection Regulation (GDPR). Financial firms operate across the EU member states and, despite Brexit, it is likely that they will still need to comply with the GDPR after it comes into effect on 25th May 2018. The ICO has also stated that it is intent on revising UK data protection law in the wake of Brexit and will probably still use the GDPR as the new data standard. Worryingly, however, 84% of financial services organisations surveyed admitted their current data protection policies and procedures would leave them exposed under the new regulation. Despite 74% saying they intend to tighten up data sharing processes as a result, the majority are frustrated that even when technology such as encryption is made available to enable secure ways of working, employees aren’t using them.
Summary of key findings:
- 84% admitted the EU GDPR would leave them exposed
- 74% subsequently acknowledged they would implement encryption to secure data sharing processes
- Only 16% of boards in financial services firms are prioritising accidental breach, with 42% emphasising external hackers and 30% malicious insiders
- 84% stated they prioritised products based on perceived ease of deployment, rather than their ability to secure data
- 78% are frustrated that even when encryption tools are provided, employees avoid using them; with 85% acknowledging this leaves them at greater risk of a data breach
Financial businesses know they are exposed
The recently ratified EU GDPR legislation, due to come into effect in 2018, will include a mandatory notification clause – forcing companies to report data breaches within 72 hours. On top of the added compliance burden, companies will face heavy financial penalties of up to €20m or 4% of annual worldwide turnover, whichever is greater. Despite this, however, only 16% of financial services organisations have confidence in their current data security processes and procedures. While 74% intend to shore up defences to close the gap, the research shows priorities are out of step with the realities of risk.
The fact that high-profile cyber-attacks – from the JP Morgan hack in 2015, to the Bangladesh bank malware attack in April 2016 – are widely reported have the potential to skew board-level security priorities. As a result, it is unsurprising that 42% of respondents felt that external hackers were the biggest information security priority for their board when protecting customer data; only 16% cited human error. However, research shows that people’s mistakes account for 93% of data breaches. In fact, stats from the Information Commissioner's Office (ICO) show that almost one-fifth of data breaches in the financial services sector are solely caused by emails being sent to the wrong recipient. This suggests a disconnect between boards’ priorities and reality when it comes to protecting customer data.
Egress CEO Tony Pepper comments: “Information security in the financial services sector is no easy task – organisations need to simultaneously protect intellectual property, act as custodians for extremely sensitive customer data and constantly adhere to strict regulations. The news of Brexit will not change this: it is likely that organisations will still be subject to EU regulation for some time until the official leave date, while the ICO may prefer to retain the GDPR as the UK’s rigorous data protection standard rather than creating an entirely new one from scratch. While it is critical for firms to have strong defences to stop external hackers, this should not come at the expense of protecting against the very real threat posed by human error. By enforcing mandatory reporting of data breaches, the GDPR is going to shine a light on many misdemeanours that might have otherwise been brushed under the carpet, so it could prove very costly if organisations don’t act now and reorganise their priorities.”
Encryption not being given enough airtime
While 74% of those surveyed claim to have plans to deploy encryption and shore up their information security practices in response to the GDPR, subsequent findings leave these ambitions open to doubt.
Other barriers to adoption noted by respondents range from worries about helpdesk pressure, through to a belief that it will cause disruptions to productivity, and concerns over integration, usability and scalability. Furthermore, 78% of CIOs are frustrated that users avoid the tools provided to share information securely, with 85% believing this lack of cooperation from users is increasing their risk of data breach.
Pepper concludes: “Banking and financial services organisations operate within a broad network of trusted advisors and providers, sharing data regularly yet lacking the means to secure these communications. While many banks have Transport Layer Security (TLS) encryption in place, this requires a very specific, and often time-consuming, set up between organisations – and in cases where this doesn’t exist, emails are often sent in clear text. In addition, TLS doesn’t offer the same levels of control and auditing as other solutions, and therefore can’t protect against an employee sending an email to the wrong recipient.
“With the GDPR around the corner, organisations need to move from talk to action when it comes to secure information sharing. Encryption solutions can offer simple deployment – for example through single sign-on via ADFS or SAML2 – and are incredibly easy for staff to use by integrating with their existing email client and auto-encrypting sensitive information at the gateway to reduce the impact of human error. As a result, excuses about helpdesk or user frustrations will not wash when the regulators come to call. Without end-to-end protection and secure policies for all confidential communications, firms are left exposed to the possibility of a data breach that will have a quantifiable impact on reputation, as well as substantial fines. This should be enough to force boards to take notice of the importance of information security, and take the right action.”
For press enquiries, please contact Spark Communications:
Tel: +44 (0) 20 7436 0420
For more information about Egress Software Technologies, please contact Rebecca Bailey – Marketing and Communications:
Tel: +44 (0) 207 624 8500
About Egress Software Technologies
Egress Software Technologies is the leading provider of data security services designed to protect shared information throughout its lifecycle.
Offering Public Sector and Enterprise customers a portfolio of complementary services, the Egress Switch platform enables end-users to share and collaborate securely, while reducing the risk of loss and maintaining compliance. These award-winning integrated services include email and document classification, email and file encryption, secure managed file transfer, and secure online collaboration.
Certified by UK Government, Switch offers a seamless user experience, powerful real-time auditing and patented information rights management, all accessible using a single global identity.