5 minute read
Back to basics on data security
By Eugene Ostapenko*
Eugene Ostapenko
With a major data breach once again front and centre in the headlines, managing data security has never been more important for credit managers. The loss or inaccuracy of financial data, in particular, can have a devastation effect on an organisation or individual, and so finance departments and IT security departments must have a strong working relationship.
Here are my five important steps to take towards better financial data security.
Step 1. Begin with the end in mind
You must have a plan. Any good IT security plan is built on a solid understanding of the data you manage, your operating environment, your regulatory obligations and your customers’ needs. Once you’ve done your due diligence and have a good handle on these four areas, you can start to develop your plan – and don’t forget to include a realistic budget before seeking the necessary approvals. More on this later.
In my own organisation, the customer lens is one of the key drivers behind our information security strategy. We are constantly listening to our customers to plan our security program, and helping them to meet their own security objectives.
Step 2: Make it easier for your customers
IT security is complex and difficult in any environment. In addition to improving internal protection, strive to make interactions with your customers as simple and safe as possible.
One of the effective ways to do this is to invest in a selfservice capability to provide transparency to prospective and current customers on your information security posture. This should allow customers to evaluate your security implementation procedures.
To reduce compliance effort for customers, we also invested heavily in obtaining a number of independent attestations and certifications confirming our strong security posture. These
include ISO 27001, SOC2 Type 2, PCI DSS and IRAP. They are all independent, industry-recognised certifications that will reduce the need to undertake security audits, and where still required, greatly reduce the time your customers need to spend on their own security assessments.
Step 3: Keep one step ahead
My team and I are continually monitoring information security threats. One of the prominent threats at the moment is credentials compromise, where malicious actors try to guess or steal passwords.
A typical response to these attacks in the past has been to keep making passwords longer, adding special characters or changing them frequently. These measures make access to our systems increasingly complex and bring limited protection.
To find the right balance between ease of use and security, we have launched a single sign-on capability. We can give customers the option to use the same username/password/token they use for their internal systems when accessing ours. This access can also be co-controlled by their own teams, thus easing the compliance burden and making it easier to do business with us.
Step 4: Build security into your culture
My strong view is that company culture is critical when it comes to building and maintaining a robust security posture. Make security visible: speak to your teams regularly, present at staff forums, send security awareness ➤
newsletters and be collaborative around risks.
If data and its security are the focus for your organisation, you may even want to consider building its protection into your company values and behaviours so your team can live it on a daily basis.
Step 5:
Think: what if?
Finally, always be prepared for security breaches. It’s a little bit like home safety – by putting locks on doors, your risk goes down, but don’t put all your eggs in one basket! There’s still a chance for bad people to get in – so you have to understand this and be prepared to fight against intruders.
I often tell the story of a neighbour who had his push bike stolen. It was a $5000 bike, protected by $30 chain that someone broke after jumping his fence. After that, he realised the inadequacy of this protection and reassessed the value of his property – realising the deeper investment he needed to make to protect his asset. The bottom line is, if you have multi-million-dollar data assets, you have to have an in-depth strategy to protect them, and an appropriate budget along with it. Typically, between 10 % and 15% of your IT budget is a common standard.
*Eugene Ostapenko Head of Information Security illion E: eugene.ostapenko@illion.com.au T: 0421 000 155 www.illion.com.au
EDUCATION
FOUNDATION
ABOUT THE FOUNDATION
In late 2018, the Board of Directors of the Australian Institute of Credit Management (AICM) proudly approved the establishment of the AICM Education Foundation.
The AICM Education Foundation has been established to provide financial assistance to credit professionals and students striving to continue their education. Funds are gathered from generous donations from the AICM and Credit Community, as well as fundraising activities and events of the AICM and it’s supporters throughout the year including but not limited to the annual AICM Conference.
The Education Foundation will also bolster the vision of the AICM to be the primary learning, knowledge and information source for credit professionals and support the AICM’s objective of providing opportunities for growth throughout their careers.
For more information on the foundation, make contributions or interest in supporting the Management
Committee contact the AICM National office (aicm@aicm.com.au, 1300 560 996 or click here).
