Due to the nature of its work, the investment banking industry is an attractive target for cybercriminals looking to steal sensitive customer data and to gain valuable information on business negotiations such as mergers and acquisitions. It is also a sector particularly prone to insider threats due to the high risk of insider trading.
Investment banks are primarily known as intermediaries between corporations and the financial markets. They help their corporate clients issue shares of stock in an initial public offering (IPO), arrange debt financing for them, and facilitate mergers and acquisitions. They also cater to the investment needs of high-net-worth individuals and often include retail banking and trading divisions. They have access to highly sensitive and valuable financial and corporate information and collect large amounts of personally identifiable information (PII).
The banking and financial services industry is a highly targeted sector of business year after year. It also comes with the second-highest cost per data breach of any industry: $5.85 million, well above the global average cost of $4.24 million/data breach.
This is the consequence of the highly valuable data investment banks, and financial services stand to lose and the heavily regulated nature of the financial sector.
How can investment banks strengthen data security?
Investment banks have long recognized the importance of data security to their sector, and many already have complex cybersecurity frameworks in place. These feature both basic security measures such as the use of antivirus software and firewalls, but also more complex policies for data access on a need-to-know basis, authentication, and encryption.
But what can investment banks do to strengthen data security and ensure their data protection strategy is a success? Here are our top tips.
1. Address internal threats
Insiders are one of the major vulnerabilities investment banks face. They can take the form of malicious insiders seeking to benefit financially from sensitive information they have access to or looking to take important client information with them when they move on to their next place of employment. They can also be careless insiders who may lose or make sensitive information public.
Many cybersecurity strategies focus on protection from outsider threats and fail to account for potential data loss resulting from insiders. Investment banks can address them by implementing Data Loss Prevention (DLP) solutions that focus on the direct protection of sensitive data rather than company networks or work devices.
Through them, investment banks can define what sensitive data means to them, monitor where and how it is being used and by whom, and control its transfer and use. DLP tools can identify sensitive data in hundreds of file types through contextual scanning and content inspection and block its transfer through unauthorized channels such as personal email addresses, file sharing, cloud services, and messaging apps. They also prevent individuals from using features such as copy-pasting and printing documents and files containing sensitive data.
2. Educate employees at all levels
Another significant risk faced by investment banks is phishing and social engineering attacks. Through them, cybercriminals target employees directly, trying to trick them into revealing credentials, downloading infected attachments, or accessing malicious links. When it comes to investment banks, top management with privileged access to confidential information is often the victim of social engineering attacks that manipulate individuals into exposing data and giving access to restricted systems through personalized interactions.
This is why investment banks must create security awareness programs that educate employees at all levels about how they may be targeted and what they need to do if they identify a potential attempt at phishing or social engineering. By raising awareness and vigilance, investment banks can minimize the chances of data leaks through such attacks.
3. Protect data on the move
Sensitive data does not always remain on the premises of a company office. Employees can take their work devices with them when they join important meetings off-site, attend conferences or events or choose to work from home. Once a device is taken out of the office, it no longer has the same level of protection. This can constitute a problem to overall data security as many data protection policies are applied at the network level.
Investment banks need to ensure that data on the move is just as secure as within the company network. In fact, they are obligated to do it: most data protection laws and standards require that sensitive data be continually protected.
A way for investment banks to address this issue is to apply security solutions directly on the endpoint. Tools such as DLP solutions continue to apply data protection policies whether devices are connected to the company network, a public or home Wi-Fi network, or not connected to the internet at all, thus ensuring uninterrupted data protection.
Views expressed in this article are the personal opinion of Filip Cotfas, Channel Manager, CoSoSys.