IT spending is at an all time high; continuing to grow at a rapid rate, it’s estimated that $103 billion will be dished out in 2019. This may seem like a good thing, more spend on security automatically means better security, right? Unfortunately, this is not always the case, as while spend goes up, so too does the number of data breaches and compromised data records.

The correlation would suggest the increased spending isn’t working, or rather what it’s being spent on isn’t either. According to IDC’s spend report, network security hardware, such as firewalls, intrusion detection and prevention, as well as unified threat management, are continuing a lot of focus, as businesses try to protect the perimeter. This is concerning because breaches will happen, they’re inevitable, and the perimeter will fail. The immediate focus for businesses, is how they are preparing for this.

Given the nature of the industry and the extremely sensitive data that it protects, it should be no surprise to see the banking sector in the top three anticipated spenders for 2019, alongside central government and discrete manufacturing. With the use of APIs, created through regulation like PSD2, becoming increasingly more prevalent, financial organisations are at a crossroads.

But if banks are focusing on the wrong thing, what should be they be spending their money on?

Back to basics

The simple truth is, the reason the number of compromised data records continues to rise is because organisations are not doing the basics right. In the first half of 2018, of the 944 security breaches reported, just 2% involved encryption being used in whole to protect the data or at least part of it. In fact, in the second half of 2017, only 4% of breaches featured encrypted data too, showing things are actually getting worse.  

For any business, particularly with the sensitive data that banks hold, the basics are a necessity, but what are they and why are they so important?

1.       Understanding data

The first basic step a business like a bank needs to do, in order to begin protecting itself, is conduct a data sweep to understand what data it has produced or collected, and where the most sensitive parts sit. This could be customer email addresses, dates of birth or financial details.

 2.       Employ two-factor authentication 

Step two should be adopting strong two-factor authentication, which provides an extra layer of security should user IDs or passwords be compromised. Two-factor authentication means a person having a code or message on their smartphone – and combining with something only they know, such as a password. It’s there to ensure only those authorised to access the data can do so.

 3.       Encrypt everything important

Encryption is the next layer of security businesses must implement and is designed to stop customers’ sensitive data being used if it is accessed or stolen. This is why a data sweep is necessary to do first, to understand what data needs to be encrypted. Whether the data is stored on your own servers, in a public cloud, or a hybrid environment, encryption must be used.

 4.       Keep encryption keys safely stored

The next step is to safely store the encryption keys. Whenever data is encrypted, an encryption key is created, and can unlock and access the encrypted data. Encryption only works if the right key management strategy is correctly implemented. Companies must ensure the keys are kept safe by storing them in secure locations, such as in external hardware away from the data itself, to prevent them being hacked.

 5.       Educate staff and customers 

The final step a financial company should undertake is educating both their customers and their staff on the steps they have undertaken to protect their data. Businesses also need to employ a double-sided approach, educating both their employees and customers on the steps they should also be taking to remain safe and protect their personal data themselves. This helps to build their understanding of how to protect the company’s data, and builds customer confidence.

The banking industry is one of the most heavily targeted sectors out there naturally, due to the data that it holds. Breaches are inevitable, there’s no getting around that, but the industry needs to show regulators and customers that it’s doing everything it can to protect its data. Moving forward, it needs to be using all the tools at its disposal to protect itself, but this shouldn’t come at the expense of forgetting to do the most effective methods, the basics.