With just 36% of Australians believing that their bank has their best interests at heart, it’s hard to argue that from a reputational perspective, the last two years have been some of the toughest years in recent memory for the Australian Banking & Financial Services sector.
With a Royal Commission into the sector complete, and a number of high-profile data breaches prominently featuring in the newspapers – it’s no wonder the industry is facing a trust deficiency challenge. If you’re in lending, investment management, mortgage broking or insurance, by now it’s likely your team has been on the pointy end of client questions boiling down to the same message: “How can I trust you with my personal information?”
Wide ranging factors across the industry have led to the current lack of trust held by consumers, with a major pain point the looming (and often realised) threat of data modification or destruction, leaks, and otherwise unauthorised exfiltration of sensitive business and customer information.
The last few years have seen our financial services providers fall victim to data breaches effecting millions of Australians, with information from phone numbers and email addresses to medical data, sensitive documents, personal National identification numbers, credit card numbers and other information being stolen, sold or otherwise lost either due to negligence, external attacks, or sabotaging behaviour from those within the organisation. Gone are the days where cybersecurity was the sole concern of IT departments, with the issues now being a company-wide business concern. Our worst failures result in trading halts, millions in losses and the scalps of senior executives and board directors.
When communicated well, the risks of sub-par cybersecurity should send chills up the spines of all executives in the Financial Services sector - but before we lose hope in the future, some context is important.
With digital transformation heralding the convergence of digital and physical entities, organisations are facing unprecedented pressure to unify systems, seamlessly integrate with a growing number of providers and produce real time outcomes – all in the pursuit of a positive customer experience and convenience.
To maintain competitiveness and reach people with the services they demand, at the time they want them and through their medium of choice, our Financial Institutions have engaged small armies of off-premises freelancers, agencies, remote workers and cross-functional staff all expected to closely collaborate in real time and share critical IP through a labyrinth of networks – no small ask.
But it goes beyond readjustments of our internal teams, extending to all players across the cybersecurity ecosystem. Not limited to the 9.2 million smartphones finding their way into the hands of Australians in 2017, the influx of increasingly connected devices shows no sign of slowing, widening and diversifying an already vast attack surface. As the custodians of customer information, we must rise to the challenges brought on by these trends for the sake of both our customers and our organisations.
For those of us who about now are (fairly enough) asking for the whereabouts of regulators in all of this, we should ask if we really believe that satisfying a regulatory minimum is enough to keep our data safe. Avoiding difficult conversations with a regulator is a powerful incentive to continue ticking boxes for the compliance department, though with government’s struggling to keep pace with the digital environment globally, this short-sighted approach is far from a guarantee that information will remain protected, and misses a huge opportunity for us to promote the culture of trust that the industry has been sorely lacking from within our sphere of influence.
Quite simply, being compliant does not necessarily mean having a robust security posture that is aligned to the business.
There is a correlation between delivering customer convenience and increased value with increased system complexity. This means we need to rethink our security strategy posture. With greater complexity comes the need for greater systems visibility and control; and given the mobility of people within the network, the perimeter-focused firewall thinking of old needs to be replaced with a strategy that reflects our new reality.
As people come and go, and new systems replace the old, organisations need to adopt a “secure by design approach” to iteration and development in the workplace to save an enormous amount of playing catch-up with cybersecurity.
Moving away from a threat-centric model to an adaptive, human-centric allows us to correlate swathes of user activity and build a comprehensive behavioural risk profile of that user.
As companies accelerate digital transformation – combining a fluid and dynamic workforce with data being created, stored and consumed on computers, mobile devices, servers and IOT devices – the risk of data leakage and exfiltration dramatically increases.
This malleable, adaptive approach to risk is far better suited for the systems and workforces of companies embracing digital transformation, as it allows security analysts to partner with your business leaders and cut down on noise, then identify and disrupt potentially harmful activity anywhere across the entire network well before it occurs.
The dynamic individual risk score allows a company to change the security protocols for individuals, or to automatically block an account when it detects behaviour or activities that threaten other employees or the company. This granular approach helps organisations with limited resources to implement dynamic security practices which adapt as circumstances change.
So the next time you sit down with someone in your firm to have “that” conversation, being equipped with an understanding the new breed of solutions able to be implemented across the organisation is a great way to steady the ship on the long voyage back to enjoying the trust of your customers.