Human Factor in Data Breaches in Financial Sector

There is a rapid increase in the usage of digital channels in the financial sector such as internet banking, digital wallets, mobile banking. This increase the exposure and thereby cyber-attacks causing financial and reputation losses to institutions.

Financial sector faces three times cyber-attacks compared to other sectors as per various published reports. With increasing risk of cyber threats, this sector is facing huge challenge of data breaches and therefore there is extreme need of strengthening their cyber security postures.

Data breaches (card data, Personal Identifiable Information etc.) causes exponential rise in the cost and stringent data privacy acts & loss of customers increases the impact further.

A data breach happens not only when data is lost or illegitimately accessed but also when it’s confidentiality/privacy or integrity is compromised.

Data loses its confidentiality when an unauthorized person view, alter or steal the information of customer. The integrity of the system is affected when data in the system is changed irresponsibly or with malicious intention.

Below are some examples that fall in data breach (confidentiality or integrity compromise) by the employees within institutions:

• Selling personal information of customers to marketers and third parties for monetary gain
• Mr. X’s relative in a bank views and provides banking details of Mr. Y to Mr. X thereby breaching confidentiality of Mr. Y data
• Mr. X’s residential address is not updated by an irresponsible employee and his account statement is sent on old address which is read by Mr. Y staying at that address thereby breaching confidentiality of data
• Exchanging a sum of money from another customer account to own account by altering data in the system

All above data breaches can be done by an employee with malicious intention or an employee’s negligence toward security giving opportunity to another insider or outsider to perform these acts.

Educate employees at all levels about cyber threats: cyber crime is not just the domain of the IT/ network security function. There are different types of cyber crime, from hacktivism to data theft, which affect different functions of the financial institution in varying ways. Contact for any query.

Below are the probable threat vectors associated with employees which must be made aware to avoid data and security breaches with due care.

1. Privilege Abuse -> Use of privileges for malicious or suspicious activities.

• Need to monitor the activities of privileged or super users closely to generate an alert upon suspicion.

2. Revealed or Stolen Credentials -> This can lead to compromised data, compromised systems, and people using your accounts without your knowledge.

• Use good, cryptic passwords that are difficult to guess
• Never share or reveal your passwords
• Use different passwords for work and non-work accounts.

3. Device Theft or Loss -> Theft of loss of Computers and laptops, portable electronic devices, electronic media containing sensitive data can lead to breach of confidentiality and subsequent repercussions.

• Always lock down workstations and laptops as a deterrent.
• Ensure proper physical security to laptops.
• Use extra security measures such as encryption.

4. Endpoint Malware -> Computers that are not protected with anti-malware software are vulnerable. Out-of-date anti-malware may not detect known malware, leaving your computer vulnerable to infection.

• Install anti-malware software and make sure it is always up-to-date.
• Don’t click on unknown or unexpected links or attachments as these can infect your computer.

 5. Vulnerable Systems and Applications -> Hackers can take advantage of vulnerabilities in operating systems (OS) and applications installed on the computers if they are not properly patched or updated.

• Make sure that operating System (OS) and application security patches are up-to-date.

6. Social Engineering -> It is a type of attack in which someone manipulates others into revealing the information that can be used to steal data, access system, money or identity theft.

• Limit the amount of information you share online.
• Never share password with anyone over phone.
• Always question the requests for sensitive information.

7. Forwarding sensitive information to incorrect recipients, publishing private data to public web servers can result in confidentiality breach.

• Exercise due care.