Data represents both a huge opportunity and a significant risk for companies in the financial services industry. On the one hand, data sharing and analytics can help organizations uncover a wide array of insights that can offer market differentiation, such
as customer preferences and intent, marketing opportunities and motivation for more efficient business processes. Additionally, sharing and combining protected data with other financial service providers in data pooling activities can uncover learnings from
which the entire industry can benefit.
However, data sharing drastically increases the risk of intentional and unintentional data breaches, widening the organization’s attack surface and potentially placing the organization out of compliance. It is quite the conundrum: You cannot afford not to
share data in today’s business environment, but doing so only increases the possibility of exposing data.
The good news is that data protection and security capabilities have evolved quickly to enable a ‘need-to-share’ environment. In fact, Gartner notes that
30% of enterprises will use need-to-share protection methods by 2025. Let’s take a closer look at how financial services companies can maximize data ROI while reducing the risk of exposure.
Address data hygiene
Financial services companies frequently have vast swaths of data stored across multiple departments. Eliminating non-essential redundant data shrinks an organization’s attack surface and reduces the opportunities for cybercriminals to access it. Doing so
also reduces the data you must protect before sharing. It is also important to note that redundant data may have varying degrees of accuracy, so eliminating multiple sets of conflicting data will also make your data analytics more insightful. Think ‘garbage
in, garbage out.’
Determine data value, risk and access
As with any initiative, the effort you put in at the front end is easier than addressing it in midstream — and it reduces risk significantly. And in the financial services industry, reducing risk is a rule engraved in stone. So, with every new piece of data,
it is necessary to identify its value and protect it accordingly. The protection mechanism chosen is dependent on its downstream use.
If data is sharable, determine its risk factor. What would be the worst-case scenario if this data fell into the wrong hands? This leads us to another important question: Who can access the data? That’s because the ‘wrong hands’ do not necessarily belong
to cybercriminals. Studies have shown that human error is the most common reason for the
vast majority of data breaches. As a result, only a select few should ever have access to, or the ability to share, a financial service company’s data. Further, it is critical to continually
update and audit that list to ensure access restriction is as up-to-date as possible.
During this discovery period, the following protection methods should be used before sharing data, depending on its downstream use:
-
Masking. If a piece of data has sensitive information, such as a Social Security number, and there is no reason to see it in the clear, masking should occur. As the name suggests, the data value is obfuscated and used for a fixed period
(usually for compliance purposes) without ever compromising security.
-
Tokenization. If data with sensitive information is to be utilized for test and development purposes, tokenization should be implemented. This method replaces data values with other characters in the same format, allowing sharing. The original
values can be retrieved using de-tokenization, as long as an authorized entity accesses it.
-
Encryption. If data with sensitive information is to be completely transformed, encryption is used with a key and a proven, safe algorithm such as AES. The encrypted information can only be decrypted if the key is available and the access
is performed by an authorized entity.
Security and protection methods for analytics and data sharing
As explained earlier, financial organizations must implement encryption to share data and reduce risk to its lowest level. Encryption converts plain text into unreadable cipher text, which can only be accessed by users with a key. With encryption, companies
can share the data within the organization, knowing that only the appropriate users will access the data. A new capability has started to emerge, with which it is possible to analyze encrypted data without decrypting it. Such Privacy Enhanced Computation (PEC)
techniques will revolutionize how sensitive data is shared and analyzed securely. And when participating in data pooling activities with other financial service providers to gain broad industry insight, users can rest assured that their data will always remain
protected.
Additionally, we see more financial service organizations using Bring Your Own Key (BYOK) technology to ensure greater security within cloud environments. This technology gives the user, instead of the cloud service provider, ownership of all encryption
keys — not even the provider can access the data.
Banks, credit card providers and other financial institutions must balance data protection and sharing to maintain a competitive advantage. While not an easy task, those who strategically employ the appropriate protection and security methods can reap all
the benefits data offers while reducing the risk of data breaches and non-compliance.