In its business agenda for 2016 -2017, The Financial Conduct Authority (FCA), which is a financial regulatory body in the United Kingdom, acknowledges that: ‘data hacking and cyber terrorism are on the increase and pose a huge hurdle to markets and consumers.’
Financial institutions are greatly reliant on technology, in the digital era, to communicate and engage their customers, handle assets and balance sheets, confirm business deals and fulfil regulatory reporting necessities. Chief executives and regulators alike are now focusing on the resiliency of their respective firms’ technology infrastructure, which now no longer persists as the exclusive domain of the IT department.
High-profile incidents that have impacted industries and individuals worldwide have now placed information protection infringements firmly on the front pages of every national daily, such as Home Depot, Target, Ashley Madison, Panama Papers etc. amidst others. In some instances, data leakages and information attacks are initiated by whistle-blowers or crusaders and social informers; of bigger worry are those attempted by cyber terrorists and criminals who understand how classified data, financial information and personal identities can become a bartered or saleable commodity. The data breach vulnerability is sensed as most critical in the financial, banking, capital markets and insurance sectors.
In 2015 alone, over 90% of large companies reported data security breaches, as the risk of cybercrime to the UK economy was estimated at over £ 25 billion. Acknowledging the possible impingement of information infringement on their businesses, it is not seen as an unexpected phenomenon that over half of large companies surveyed in a recent study have created the position of chief information security officers in their organisations.
Across the world, digital data security and protection of online assets has become a vital element of any organisation’s strategic management controls. The IT infrastructure of an organisation is only as strong as its weakest link. Hence, a document security strategy needs to encompass and include a holistic perception of the infrastructure, office environment, external and internal interfaces while including any and all possible vulnerabilities.
In addition, it is imperative that organisations employ an efficient incident response plan that can be initiated as quickly as possible in the event of the data or security infringement. Based on past experience, the first 18/24 hours are extremely critical in reducing overall damage. An organisation that has experienced a data breach should:
- Instantly commence their cyber/data breach response program;
- Make a note of and register the date and time the data infringement was detected and signal the response squad;
- Protect the infrastructure around the environment the data violation occurred;
- Take the affected machines off the system and network (if applicable);
- Re-evaluate company codes of conduct regarding sharing of data;
- Maintain a log of everything revealed about the infringement.
As stated above, it is important that every firm has a robust written data security policy. By ensuring that the dictated policy is practised, the organisation must also ensure impregnable access controls, defined information backup and storage, as well as business continuity procedures are set in place.
In addition, some important elements must also be addressed by every organisation namely, personal code of conduct for contractors and employees, robust asset management guidelines, supply chain controls to third-party management and vendors, incident management strategies and reporting compliance requirements.