How to be a good data custodian

As mathematician Clive Humby famously put it, “Data is the new oil”. Across all areas of UK business, developments in technology are creating opportunities for cybercriminals, and the financial services sector offers a particularly lucrative target.

All firms have an ethical responsibility to protect customers’ data. Regardless of their current position, taking steps to raise awareness of the importance of cyber security and using technology to transact with customers in a secure environment, are key to being a better data custodian, and winning customers’ trust.

While bank robberies are becoming a thing of the past, cybercrime is an ever-growing risk for banks, building societies and other financial services firms. In 2018, the number of data breaches reported to the Financial Conduct Authority (FCA) by financial services firms increased by 480 per cent compared to the previous year. This may be partly explained by the introduction of GDPR legislation last May, encouraging organisations to be proactive in identifying and reporting cyberattacks, however, it also emphasises that cybercrime is a serious threat for the industry, which businesses need to urgently address.

In recent years, the growing prevalence of cloud computing and mobile devices has opened up new opportunities for cybercriminals looking to intercept and exploit confidential information, and these are likely to increase alongside developments in other emerging technologies such as crypto currencies. However, technological innovations can also provide financial services firms with valuable tools in the fight against cybercrime.

A key pitfall made by organisations when handling personal data is failing to do basic transactions with clients in a secure environment. Surprisingly, many large companies, including some high street lenders, still rely on unsecured email for exchanging sensitive information, such as National Insurance numbers and bank account details with their customers. In cybersecurity terms, this is akin to writing the information on a postcard and putting it in a post box, for anyone to see.

A client portal can offer an effective solution to this problem; providing a single, secure digital environment to communicate with customers and share sensitive information. Encrypting data and using other forms of online security such as certification, these systems can protect data that is ‘in transit’ (in the process of being sent) and data ‘at rest’ (which has arrived and is being stored on a disk), giving customers a single access point for communication with advisors and other services.

However, it is important that firms do not view data security as purely an IT issue. To be truly effective in protecting customers’ data, they must also take steps to develop an awareness of cyber security within all of their workforce. A key part of this should focus on educating staff about exactly what constitutes personally identifiable information (PII) and encouraging employees to put themselves in a cybercriminal’s shoes, so they understand how easy it is to undermine data security. A good way to think about this is to consider what information would be most valuable to a cybercriminal, and what type of information most people would be comfortable writing on a postcard. It’s also useful to think about different data combinations, which could present a risk if they fall into the wrong hands. For example, displaying details such as a person’s date of birth, alongside their children’s names or favourite football team on a company’s website or social media feeds could make it easier for a cybercriminal to access their personal data through a targeted attack (called spear phishing).

A thorough and up-to-date knowledge of GDPR legislation, and clarity about each employee’s responsibilities as a data handler, are key to combatting cybercrime. It is also important to put in place a comprehensive training programme for all levels of staff, with more in-depth content for those that deal with sensitive client and employee data. Lastly, enforcing policies around data-handling best practice, and establishing effective control systems are necessary to ensure staff are complying, and potential data breaches can be identified at an early stage.

Data security is high on the agenda for the majority of financial services firms, and many have an existing cybersecurity strategy in place. However, it’s important to remember that organisations can always do more. By viewing the battle against cybercrime as ongoing, and constantly looking for ways to bolster processes against potential attacks, firms can foster long-term, trusting client relationships and protect their reputations.

Mike Ayres is a senior manager and Kylie Grant is a project director at accountancy firm, Menzies LLP.

Author: Yash Hirani

Share This Post On