Login
iscover
Financial institutions have a responsibility to keep tabs on customer information and move on from a “more is more” mentality.
Newsletter
How data hoarding magnifies the risk of a hack
14 April 2023
•
11 minute read
With 8 million drivers licence numbers stolen from Latitude Financial in its recent cyber breach, some people are having to request fresh documentation once, twice or even three times.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
The Latitude attack, in which a total of 14 million records were compromised, is yet further proof that all businesses, including financial institutions, need to reassess how they manage data. Far from being a one-off, the hack follows a string of high-profile data breaches last year which collectively pushed cyber security, data privacy and secure information management higher up the business and political agenda.
But it shouldn’t need incidents of this magnitude to take these issues seriously. Organisations everywhere should now be asking themselves, When is it my turn?
The fact these hacks keep making headlines, despite talk of stricter fines, regulation and legislation, shows how far businesses still have to go. Cyber attacks are inevitable, but widespread damage is not. The financial services industry, due to the nature of the data it collects and the regulations it must follow, must address data management proactively. This is the new reality: financial organisations have a responsibility to protect the data they hold and mitigate the impacts of attacks.
Stop hoarding
In financial services it can pay to have the right data. Accountants benefit from storing payroll information to enable automated and simple salary payments and payslip distribution; mortgage brokers benefit from having customers’ bank account details for setting up, ending or negotiating loans; and banks are regularly analysing financial transactions, buyer behaviours, identification documents and more to ensure they are delivering personalised customer experiences.
In these situations, the “more is more” mentality often roams free as businesses prioritise understanding their customers for the purpose of maintaining customer loyalty or generating sales.
From a security perspective, this is one of the most dangerous things businesses can do. Every piece of data is a liability if managed incorrectly, and businesses that recognise this upfront will be more secure and sustainable long term.
While having data and information is necessary to doing business, this does not mean businesses need to hold on to that data indefinitely. In fact, there is almost no excuse for hoarding data without a plan for how it is managed once it has served its purpose. Hoarding data for longer than necessary only increases the level of risk and security threats.
In the case of a breach, the impact – felt most heavily by consumers, who are increasingly unforgiving about these lapses – will be multiplied by the volume of data that is accessible. It does not take a sophisticated or experienced attacker to find ways to access a company’s entire system or data records. They only need to find one way to access one record, and the rest is history.
Know your data
Many executives follow the mantra of “know your business” from a sales, operational or people lens. It is time we introduced a data and information lens.
Every business needs to be treating every piece of data as having its own lifecycle. This should involve understanding what data you currently have and why you have it, how it will serve its purpose and for how long, and finally, what will happen to the data when it is no longer needed. These steps seem simple, yet most business leaders today would struggle to explain how much information they currently store and what percentage of that is genuinely required for the business to operate (it’s much less than you think).
Starting with a simple audit, businesses can quickly and easily understand where their greatest liabilities may be. It could be as straightforward as learning that the passport details of old customers are being stored unnecessarily, or that drivers licence details are being collected when the data is not required to serve those customers. The more unnecessary data that is identified, the faster a business can take appropriate measures to dispose of it securely and mitigate risk.
When data is identified and classified, businesses can then put processes in place to ensure more reliable and secure overall data governance. This means data is never left without a plan. Simple automation processes can play a significant role in reducing the security threats and risks of data. Whether it is using technology to identify and classify high-risk and high-value information or to destroy personally identifiable information after a certain number of years, businesses should have a schedule for the beginning, middle and end of their data lifecycle.
Unfortunately, Australian businesses continue to be a local and international target for attacks and human error continues to play a central role in data leaks and breaches. If there was limited data to be leaked or stolen in the first place, businesses would be much safer and consumers would feel more protected. Businesses cannot fail to recognise that effective data security and privacy is well within their reach, starting with a mindset shift from trying to reap as much data as possible, to having a clear plan and end-date for every piece of data.
Alyssa Blackburn is director of information management at AvePoint.
You need to be a member to post comments. Become a member for free today!
