Cyber risk is a complicated and ever-growing challenge for financial services (FS) businesses. Having access to so much sensitive data makes the industry a consistent target for cybercriminals.
Hackers have known for a long time that exploiting human error is the best way to breach an IT system. They use social engineering (phishing) to prompt employees to accidentally disclose information, share login credentials, or deploy ransomware within their own systems.
However, it doesn’t always take an external threat to cause a data breach – insiders leaking data (intentionally or accidentally) via email is a serious problem within FS. One key thing remains the same as with phishing: human fallibility is still at the heart of the problem. Which means insider threat can only be tackled with intelligent data loss prevention (DLP) tools that understand human behaviour.
Email data loss within FS
Our 2021 Data Loss Prevention Report revealed some concerning statistics for IT leaders working within FS. We found that employees had been sending more emails than ever throughout the pandemic, and 85% of FS organisations have had sensitive data put at risk by email over a 12-month period. And it’s a rising trend. Out of the FS organisations we surveyed, 68% had experienced an increase in email data leaks since March 2020.
Increased digitalisation and remote working mean far more emails are being sent than pre-pandemic. Many FS organisations would prefer employees to access emails within physical offices for the sake of protecting data, but they’ve been forced to break these walls down in order to let business continue. Email is a difficult tool to lock down effectively. It’s often a balancing act between security and helping employees to work productively.
It’s easy to see how this leads to data loss when 60% of FS remote workers still work in domestic spaces with frequent distractions and interruptions, and almost half (41%) feel under pressure to reply to emails outside of work hours. We also weren’t surprised to learn that 73% of IT leaders within FS think flexible and remote working will make it more difficult to prevent leaks via email in the future.
In such a tightly regulated industry, this is a challenge that can’t be ignored.
Regulations and compliance
The FS regulatory landscape is a complex one and organisations need to be wary of the fines and penalties for non-compliance. There are a number of laws and regulations within the industry applying to retail banks, investment banks, payment providers, and capital markets such as the London Stock Exchange.
Most FS employees will be aware of GDPR, an EU law on data protection and privacy that has large fines for non-compliance. There are other regulations specific to the FS industry, such as PCI DSS (Payment Card Industry Data Security Standards), a global set of standards that govern how organizations handle credit card information. Another example is the BSA (Bank Secrecy Act), aimed to prevent organisations from being used to hide or launder money.
Among others, these standards are in place designed to secure sensitive data and information. In the UK, the rules for all financial firms and markets are regulated by the Financial Conduct Authority (FCA). All regulated FS firms need to have systems and controls in place to manage data-related risks and all data loss incidents need to be reported to the FCA – including data loss by email.
Falling foul of regulations due to a data breach can lead to large financial penalties – but that’s not the only impact organisations need to be concerned about.
The reputational impact of a breach
When data loss via email strikes, FS businesses also need to deal with reputational fallout and the potential loss of clients. FS organisations fight hard to build their reputations and earn the trust of customers – both consumers and high-net-worth individuals. Unfortunately, years of hard work can be undone when a data breach hits the headlines.
The ‘risk of a breach’ is a common phrase in modern business, but for many organisations that risk has already materialised. Out of the FS organisations we surveyed in our DLP Report, 47% had already suffered reputational damage as a direct result of an email data leak. This was significantly higher than other highly regulated sectors such as legal (32%) and healthcare (33%).
Clients are more switched-on than ever when it comes to who they can and can’t trust with their data. Out of our surveyed FS IT leaders, 68% had seen an increase in customers asking if they had email DLP in place. 39% of the FS organisations we spoke to had experienced client churn due to data loss via email, and 32% had even been threatened with litigation from a client.
So, how should FS organisations protect themselves?
Managing the risk of email data loss
IT leaders within FS are under pressure to stop data loss via email. However, it’s not traditionally been easy to stop employees making human mistakes or breaking the rules – especially when it comes to email. That’s why organisations are now turning to intelligent DLP solutions, otherwise known as ‘human layer security’.
Human layer security uses contextual machine learning to build a profile for every individual as they share data, so they can detect abnormal behaviours that deviate from ‘good’ security decisions and alert users to everyday mistakes as they’re happening. These tools offer context-driven prompts that are based on behaviour, only popping-up when a user has genuinely selected a wrong recipient, attached the wrong file, or forgotten to use Bcc.
This is invaluable for FS organisations where so much could be at stake from something as innocent as a misdirected email containing sensitive client data. Email data breaches can’t be treated as a problem for tomorrow when so many businesses are already feeling the impacts today. The reputational and financial costs of a breach are only going to get higher, so now is the time for FS organisations to protect themselves with Egress Intelligent Email Security.
Learn more at our upcoming webinar…
We’re welcoming Zsuzsanna Berenyi, Head of Cyber Security Awareness and Culture at the London Stock Exchange, as a guest speaker for a webinar on 6th May at 14:00 GMT.
Zsuzsanna will be sharing her views with Egress CEO Tony Pepper on the ‘human factor’ behind email data breaches and the impact they can have on FS firms, as well as the risk landscape for a future of flexible working.