Article by Eugene Ostapenko, Chief Information Security Officer at illion.
As the digital revolution advances, data security management has never been more important. The loss or inaccuracy of financial data, in particular, can have a devastating effect on an individual or organization, so finance departments and IT security departments must maintain a strong working relationship. Here are my five important steps to take for better financial data security.
Step 1. Start with the end in mind
You must have a plan. Any good IT security plan is based on a solid understanding of the data you manage, your operating environment, your regulatory obligations and the needs of your customers. Once you’ve done your due diligence and are well-versed in these four areas, you can start building your plan — and don’t forget to include a realistic budget before seeking any necessary approvals. More on that later.
In my own organization, customer focus is one of the main drivers of our information security strategy. We listen to our customers to plan our security program and help them achieve their own security goals.
Step 2: Make it easy for your customers
IT security is complex and challenging in any environment. In addition to improving internal protection, strive to make interactions with your customers as easy and safe as possible.
One effective way to do this is to invest in a self-service capability to provide potential and current customers with transparency about your position on information security. This should allow customers to evaluate your security implementation procedures.
To reduce compliance efforts for customers, we have also invested heavily in obtaining a number of independent attestations and certifications confirming our strong security posture. These include ISO 27001, SOC2 Type 2, PCI DSS and IRAP. These are all independent, industry-recognized certifications that will reduce the need to undertake security audits and, if required, significantly reduce the time your customers have to spend on their own security assessments.
Step 3: Stay ahead
My team and I are constantly monitoring information security threats. One of the biggest threats today is credential compromise, where malicious actors attempt to guess or steal passwords.
A typical response to these attacks in the past was to continue to lengthen passwords, add special characters, or change them frequently. These measures make access to our systems increasingly complex and provide limited protection.
To strike the right balance between ease of use and security, we launched a single sign-on feature. We may give customers the option of using the same username/password/token they use for their internal systems when accessing ours. This access can also be co-controlled by their own teams, easing the burden of compliance and making it easier to do business with us.
Step 4: Build safety into your culture
My belief is that company culture is key when it comes to building and maintaining a strong security posture. Make security visible: speak regularly to your teams, present yourself on staff forums, send out security awareness newsletters and collaborate around risks.
If data and its security are at the heart of your organization, you can even consider integrating its protection into the values and behaviors of your company, so that your team can live it every day.
Step 5: Think: what if?
Finally, always be prepared for security breaches. It’s a bit like home security – by putting locks on doors your risk decreases, but don’t put all your eggs in one basket! There’s always a chance of bad guys getting in – so you need to understand that and be prepared to deal with intruders.
I often tell the story of a neighbor who had his booster bike stolen. It was a $5,000 bike, protected by a $30 chain that someone broke after jumping his fence. After that, he realized that this protection was insufficient and reassessed the value of his property – realizing the larger investment he needed to make to protect his asset. The bottom line is that if you have multi-million dollar data assets, you need to have a thorough strategy to protect them and an appropriate budget with that. Generally, between 10% and 15% of your IT budget is a common norm.