3 minute read
Safeguarding the security of your financial data
by AICM
Eugene Ostapenko Head of Information Security at financial data and analytics provider illion
Are you playing catch up with your IT security? As the digital revolution marches on, managing data security has never been more important. Here, Eugene outlines five important steps to take towards better data security.
STEP 1. Begin with the end in mind
Any good IT security plan is built on a solid understanding of your operating environment, your customers’ needs and the data you manage. Once you’ve done your due diligence and have a good handle on these three areas, you can start to develop your plan – and don’t forget to include a realistic budget before seeking the necessary approvals.
In my own organisation, the customer lens quickly became one of the key drivers behind our information security strategy.
To reduce the effort and expense for customers, we invested heavily in obtaining a number of independent attestations and certifications confirming our strong security posture.
These include ISO 27001, SOC2 Type 2, PCI DSS and IRAP. They are all independent, industryrecognised certifications that will reduce the need to undertake security audits, and where still required, greatly reduce the time your customers need to spend on their own security assessments.
STEP 2: Make it easier for your customers
IT security is complex and difficult in any environment. In addition to improving internal protection, strive to make interactions with your customers as simple and safe as possible.
One of the effective ways to do this is to invest in a self-service capability to provide transparency to prospective and current customers on your information security posture. This should allow customers to actually see and evaluate your security implementation procedures.
For example, illion is planning a portal where our customers can register to get access to the most commonly asked questions about information security. In addition, we will enable access to the full versions of our reports for customers to download as we renew them.
STEP 3: Keep one step ahead
My team and I are continually monitoring information security threats. One of the prominent threats at the moment is credentials compromise, where malicious actors try to guess or steal a username and/or password.
A typical response to these attacks in the past has been to keep making passwords longer, adding special characters, and changing them frequently. These measures make access to our systems increasingly complex and bring limited protection.
To find the right balance between ease of use and security, however, illion is now building a single sign-on capability for access to our products. In the near future, we will deploy technology to enable our customers to have the option to use the same username/password/token they use for their internal systems when accessing illion. This access will be controlled by their own technology and security teams meeting agreed security policies.
STEP 4: Think carefully about your culture
You’ve no doubt heard the term ‘culture eats strategy for breakfast’. While I’m not advocating that here, I am saying is it is important that you don’t just blindly follow your plan – you need a strong process in place to review a good plan to ensure it’s still valid when the next raft of big changes comes along.
And of course, company culture is critical when it comes to building and maintaining a strong security culture. You are only as good as your weakest link.
If data and analytics is a key focus for your organisation, you may even want to consider building its protection into your company values and behaviours so your team can live it on a daily basis.
STEP 5: Think: what if?
Finally, always be prepared for security breaches. It’s a little bit like home safety – by putting locks on doors, your risk goes down, but there’s still a chance for people to get in – so you have to understand and be prepared to fight against new threats that may be emerging.
I often tell the story of a neighbour who had his push bike stolen. It was a $5000 bike, protected by $30 chain that someone broke after jumping his fence. After that he realised the inadequacy of this protection, reassessed the value of his property – and the actual investment he needed to protect his asset. The bottom line is, if you have multi-million-dollar data assets, you have to have an appropriate budget to protect them – typically about 10% of your IT budget.