Cultural shift needed to embed data security enforcement

ed-powers

A "significant cultural shift" is needed at many financial institutions to properly grasp data security, says Ed Powers, a partner at Deloitte's security and privacy practice.

Deloitte's 2010 Financial services global security study has shown a marked increase in awareness of the importance of data security in the financial services industry over the past 18 months, but suggests many institutions have yet to fully grasp the issue of safeguarding data.

"One of the areas in which there seems to be a major gap is the protection of paper-based data," says Powers. "Data that is resident in systems, but is then printed out and dealt with offline; most organisations don't have their arms around that yet."

Firms also need to be aware their hardware can also pose a risk, says one source. "Most photocopiers these days have a hard drive built in, and I don't think that occurs to people at a lot of firms when they're replacing stuff."

Powers says there is a lack of awareness at financial institutions that threats can be internal as well as external. "As you start to clamp down more on what people can do with data, including what they print out, take with them and how they can use it, that's really where a cultural change has to come into play," he says.

The study shows firms are beginning to look at the idea of data security in a more significant way, which is reflected in their information security budgets. There was a drop in the number of firms who consider "lack of significant budget" to be an obstacle to data protection, which demonstrates that, despite the downturn, firms continue to value the role that can be played by a well-developed information team.

"Spending in security and data protection during a dramatic downturn largely remained a priority," says Powers. "There was some degradation, but not a lot, especially in comparison to other areas that got cut. This has hit the radar screens of just about every organisation that we deal with, and the regulatory pressure is what has made this much more than just a security or a technology issue. Security is becoming an integral part of risk management."

Alex Ellerton, a principal at regulatory consultancy Bovill, argues the potential reputation impact of a data breech is the primary motive for ramping up security budgets. "Reputational risk is a bigger driver than regulation risk," he says. "At the moment it's all about confidence in the industry, you don't want to be a firm that loses out because of data security breaches."

Ellerton also argues that, while awareness has increased, it has not done so in a uniform manner across the industry. "There's a definite difference in terms of the big and small firms," he says. "Larger firms have probably thought more about things such as how they decommission computer hardware. The smaller firms haven't had to do it very often, or they haven't got the expertise in house. Small to medium-sized firms really need to think about issues like this more."

The more proactive banks need to consider going beyond compliance and embed data security awareness throughout the firm. "Part of the challenge is when you get beyond regulatory requirements," says Powers. "A significant cultural shift needs to occur around how firms think about their data, how they classify their data, how they protect their data and frankly what they allow their people to do, to better defend against threats."

 

 

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: