Why the finance industry needs to bolster their cybersecurity

Modern organisations, particularly those in the FSI sector with large amount of customer information to protect – in addition to their own – require a secure platform that helps reduce business risks related to fraud, malicious hacking and unintentional data loss – and maintain compliance in adherence with new and evolving changes to data protection and privacy laws.

Data is a pervasive asset that crosses traditional corporate boundaries now that the cloud is embedded in our everyday processes – and with rapid growth in data security and privacy laws such as the local Notifiable Data Breaches (NBD) scheme and EU’s General Data Protection Regulation (GDPR), data residency (where it’s storage) and end-user access has to be managed more closely.

In this blog, we cover how SMBs in the finance sector can leverage the many security benefits with Microsoft Azure and the capabilities of native cloud office suites such as Microsoft 365 and Office 365 to meet local regulatory changes and keep data secure.

According to the Notifiable Data Breaches Scheme’s 12-month Insights Report, there were 964 reported data breaches under the NBD scheme from 1 April 2018 to 31 March 2019.

Alarmingly, the financial services sector accounts for 14% of that number, the second highest for reporting breaches, with healthcare and legal services rounding out the top 3 Australian sectors suffering the most amount of breaches.

FSI, healthcare and legal sectors naturally have a higher level of data compliance and regulations to adhere to, owing to the nature of their industries.

With so much personal information of their customers stored in their systems, malicious threats, unintentional data loss and overall business risk is significantly higher – which is why it’s key to always be protected with the latest digital solutions that ensure always-on protection and which simultaneously make management and security of our customer’s data much easier.

As a general law and mandate, companies can’t afford to hide, turn a blind eye or simply not be aware of data breaches anymore now that the NDB scheme has been enforced for over a year.

Now that it’s mandatory to notify the Australian government and impacted customers of breaches, if you’re business reports a breach it’s likely your customers will have less confidence in your organisation’s ability to safeguard their information. Why face such unnecessary risk?

We’ve highlighted the key insights from the NBD report, for a full picture of breach risks in 2019 click on the image below:

The NDB scheme does not publish details about which organisations have reported eligible data breaches. However, there has been increased interest from both the media and public in more transparent reporting of data breaches since the introduction of the NBD, and with it, a growing awareness and demand for increased privacy rights, data security and proactive protection from customers.

As such, many businesses that have experienced a data breach have been in the public eye since the publishing of the NBD’s first report, and for all the wrong reasons.

It’s more vital than ever to bolster your cybersecurity capabilities in order to avoid unnecessary data breaches and unintentional data loss to ensure customers’ data remains secure and that you meet increasingly strict compliance and regulatory requirements.

If you’re on the Microsoft cloud, there are several in-built features, tools and services within Microsoft 365 and Office 365 ecosystems that can be immediately leveraged – with relative ease – to begin safeguarding your customer’s data with more robust capabilities.

Not sure of these cybersecurity tools? We breakdown the top 3 M365 features you need to start using now – if you aren’t already.

Microsoft’s Advanced Threat Protection (ATP) in Microsoft 365 is an in-built feature of the software suite that essentially prevents any attachments, links or phishing techniques from getting sent to email inboxes in the first place. ATP verifies each and every link in a virtual environment separate to your own and only lets the emails that are verified through to end-users, minimising risk.

ATP also has several tools and policies for admins to leverage, including:

• Automated investigation and response: Use advanced alerts and triggers to set up security workflows for incident response, and leverage included security playbooks (back-end policies) with best practices and recommendations that launch automatically when an alert is triggered.
• Real-time reports: View advanced reporting dashboards that monitor the performance of your ATP, which are accessed in the Microsoft 365 Security & Compliance Center, and gain better insights to imminent or potential threats. The dashboards are cleanly organised and easy for non-technical users and admin to get a detailed overview of data security at a glance.
• Threat simulation: You can use ATP to simulate threats for better identification and prevention.

A staggering 60% of all data breaches were malicious or criminal cyber attacks, according to the NBD’s 12-month report.

The typical source of this form of ransomware are unverified attachments and unsafe links sent to corporate emails; once clicked on, hackers use phishing techniques and zero-day malware to instigate their attacks and gain access to sensitive data. While these sort of emails may seem like an easy thing to spot, these threats are becoming more sophisticated by the day, and it’s hard to expect all end-users to be able to spot them.

This is the role that ATP fills, and is an essential add-on that should be leveraged to the fullest if your company is already highly familiar with and reliant on Microsoft 365 for workplace processes.

When it comes to protecting our customer’s data, we need to safeguard against internal error. In the Finance sector, an alarming 41% of all data breaches were due to human error, compared to the average of 35% for all sectors.

Whether it’s leaked emails or sensitive information incorrectly accessed, it’s important to remember that data breaches can occur from the inside as well as via external threats.

Microsoft 365 Data Loss Prevention (DLP) is an in-built policy and security feature of the Microsoft 365 Security and Compliance Center and Exchange which helps businesses secure their corporate (and customer) data and ensure proper access, restrictions and governance is set.

While many companies have Microsoft 365, MODEX has spoken with many customers who remain unfamiliar or otherwise underutilise the capabilities of M365 DLP readily available to them.

System administrators can use the straightforward tool (with plenty of supporting walkthrough documentation), to define policies that automatically classify data under specific categories (customer, confidential, highly sensitive), limit certain data from being shared via email or messaging applications; set up notifications for users when policies are potentially about to be violated, and most importantly, set a user’s access to data based on their set permissions.

Policies created in DLP are made up of locations, conditions and actions, which ensure data is protected where it’s stored, that the criteria for its protection is enforced, and that actions are automated when data that matches the criteria set is found.

M365 DLP also auto-detects your data based on keywords your admin team set to identify and categorise data within the right policies.

All of these policies cover the entire Microsoft 365 application suite and services, including:

• Excel
• PowerPoint
• OneDrive for Business
• Outlook
• SharePoint Online
• Word
• Teams

As an in-built tool in Microsoft 365, DLP is key to safeguarding your business against unintentional internal data leaks of sensitive customer and corporate information. If you’re on M365, there’s no reason not to use it if you want better security and data protection standards going forward.

Sharing data externally is fraught with potential danger and risks when not managed or monitored properly. Overall, 86% of notifications in the NBD 12-month insight report involved contact information dislosure, showcasing we have plenty to improve upon in the future.

Azure Information Protection Documentation (AIPD) is a cloud-based solution available to businesses using Microsoft Azure and Microsoft 365 (and included in M365 for Business). It allows organisations to classify documents and emails by defining and applying labels, and secure sensitive data shared with outside contacts. These labels automatically enforce the conditions and rules by which users can share certain data, and provides alerts and recommendations to users (via automatic detection) if they are sharing sensitive data.

For example, if one of your users is sharing a document with sensitive data (such as credit card details), your organisation’s label will appear at the top to inform the user of the label. The user can then classify the document under this label and track and control how it is used in the future.

Azure Rights Management (RMS) is the technology that protects information under AIPD labels and is integrated with all other Microsoft cloud applications and services like Microsoft 365. It uses inbuilt encryption, identity and authorisation policies to keep control of data, and ensure access is only granted to those that should have it.

Because classification is easy and labels and permissions are straightforward, data protection at with Azure Information Protection is highly recommended to take advantage of – and it works no matter where the data is stored or who it’s shared with.

The once-common misconception that the cloud isn’t safe has long since faded away with the ever-evolving capabilities of Microsoft 365 and Office 365 apps and features.

It’s clear there’s plenty of tools available SMBs, particularly in the FSI sector, that need to start leveraging if they’re not already, but sometimes you need a partner which expertise that knows the in’s and outs of each feature-set to help keep your organisation compliant and secure.

Need help getting these data protection and data security features set up? MODEX is an advanced security specialist in Microsoft 365 and Office 365, and can help guide you through the process of adopting, implementing and deploying these security and compliance features following best practice; contact us for a free consultation and security assessment today.