Contributed by Imperva
Author: Grainne McKeever – Senior Product Marketing Manager;
Co-Author: Bruce Lynch – Product and Content Marketing Manager

A data breach can be devastating, everyone would agree. But clearly, whatever many organizations are doing today to protect their data is not working as evidenced by the extraordinary number of public breach disclosures.

According to Gartner, there are two types of companies in the world.  Those that have been breached – and those that don’t know it yet. Attacks are escalating at an unprecedented rate. Imperva Research Labs (www.imperva.com) predicts that in 2021, the number of breaches will reach 1,500 with up to 40 billion records compromised. In fact, Imperva recently reported in January 2021 that more than 870 million records were compromised — more than the total number of compromised records for all of 2017.

Today, explosions in both the volume and complexity of data due to increased usage of online banking, automated trading and the wider digital transformation across the sector creates a constant challenge for financial services organizations. There are many more ways to access data which expands the threat surface and makes it much harder to secure.  As data architecture evolves to respond to the speed of change, security is left behind.

Attacks are Escalating

Different industries have tried different programs to combat the growing problem of keeping data secure. Financial services organizations typically invest more than other industries on security personnel, technologies and other related security requirements, and yet they continue to fall victim to cyber attacks. So what more can they do to avoid a data breach?

Too many database administrators or security teams feel that if they activate built-in security controls, native logging and encryption on a sensitive database, they’ve established adequate security. But if that were the answer, why are we still seeing so many failures?

Good data protection requires a great deal of work. First, security teams must have a coordinated strategy in place to find the data, classify it, identify personal data, and implement policy, monitor, and report. Not only in structured data, but also unstructured and semi-structured data stores – some in the cloud, others on-premise. There’s just a lot to do with little time and resources.

Financial Services organizations manage a high volume of sensitive data which presents simultaneous compliance and security challenges. Data compliance and security share a common goal of reducing risk. But this becomes even harder in more complex, modern architectures. While APIs and other technologies create efficiency and benefits for financial organizations and their customers, they also expand the paths of access for attackers who want to get their hands on sensitive data.

Data Security Challenges

A security breach, when regulated data is involved, is doubly damaging due to downstream regulatory impacts such as fines and litigation. And while implementing authentication, authorization controls and encryption are necessary first steps and mandatory for many regulations. As far as data security is concerned they are only the tip of the iceberg. While complying with the increasing demands of regulation will reduce the likelihood of a breach, it does not fully safeguard your business. Breaches still happen. Attackers are using more creative and sophisticated tactics to circumvent perimeter security and, as a result, are increasingly able to compromise accounts and access your data. The key thing to remember here is that compliance does not equal security.

And on the flip-side, built-in security processes are not sufficient to deliver verifiable compliance, which is a perpetual process that consumes significant amounts of time and resources. To comply with regulations and secure data, separation of audit duties from database management is required. In other words, the database administrator should not be responsible for database logs.

As an example, security measures such as authentication will not prevent attacks by compromised software or user mistakes in the same way that authorization controls cannot determine if data access is violating policy, or whether a breach is in process.

In fact, even if you were to use all the built-in data controls together, including encryption, you would still not be able to protect against the risk of a data breach due to a malicious insider or compromised user account by someone with legitimate access — as witnessed in recent history.

Other examples of data-related security risks that cannot be prevented by built-in controls include: database complexity, data storage in the cloud, leniency of entitlements, malicious insiders, compromised accounts and human error.

Implementing data security at scale is also a challenge. Even if internal controls were enough, implementing them effectively on an enterprise-wide scale is a difficult task without the help of automation and technologies such as machine learning.  There is simply too much data, too much complexity and too many ways for things to go wrong. The shortage of skilled data security experts adds to the challenge.

Financial Services organizations require a unified, data-centric approach for data protection which takes the following factors into account:

  • Enterprise-wide visibility and tools
  • User rights management and separation of duties
  • Compliance validation processes (auditing and reporting)
  • Vulnerability management and securing all paths to data
  • Active monitoring and proactive breach avoidance
  • Rapid response and resolution across functions and departments

As Financial Services as an industry grows more digitized security becomes much more than simply cost reduction and compliance. To fully protect your organization and your critical data from a breach a data-centric approach must be adopted by implementing security measures for all data and at every path to that data and on which the data travels, with no exceptions.

 

About Imperva

Imperva is the cybersecurity leader whose mission is to protect data and all paths to it. Customers around the world trust Imperva to protect their applications, data and websites from cyber attacks. With an integrated approach combining edge, application security and data security, Imperva protects companies through all stages of their digital journey. Imperva Research Labs and our global intelligence community enable Imperva to stay ahead of the threat landscape and seamlessly integrate the latest security, privacy and compliance expertise into our solutions.

To learn more about Imperva cyber security solutions for financial services, visit:

imperva.com/go/financialservices