People in Germany are afraid of paying cashless as thousands of bank customers were asked to change account details after a massive data loss leading to 90,000 cards being replaced last week. The banks involved in the scandal now speak about precautionary measures and assure that no fraud was detected. Still, there is no information about what actually happened and which data exactly got lost.
IT Security: why losing data means losing customers
The real problem here is not the extraordinary measures that had to be taken, but rather that the banks are unable to communicate about the precise causes of the breach. This results in a lack of insight and transparency, and it seems that no one can tell when and how the data got lost. A lack of knowledge that causes fear and forces banks to take radical steps, such as the replacement of cards.
In the current landscape, financial institutions need to change their mindset towards cyber security threats
In the current landscape, financial institutions need to change their mindset towards cyber security threats. Cyber attacks do happen and will be able to overcome classic security mechanisms. In his recent report on the situation of cyber security in Germany, the Federal Office for Information Security (BSI) concludes in the advent of a new paradigm: “Assume the Breach – Instead of trying to block cyberattacks, organisations should assume security incidents or breaches will happen. Attacks as such can be successful. Part of risk management therefore has to be the establishment of structures and processes that deal with incidents”.
With more devices, mobile banking/trading, cloud services, and further progress in IT-infrastructure, the cyber security threat landscape has changed. This is especially true for the growing amount of people accessing sensitive confidential resources, often with several devices. The trend to outsource IT tasks to service providers allows more flexibility, but also needs matching security solutions. Furthermore, growing businesses constitute a high demand for new IT equipment, which are more challenging to protect. This creates new risks, and solutions relying solely on firewalls and anti-viruses cannot provide that protection any longer.
Besides the escalating risk of cyber criminality, there is also a human factor to consider
Besides the escalating risk of cyber criminality, there is also a human factor to consider. People in an organisation have to find their way to deal with the technology. The auditor PWC argues in a recent survey that 48 percent of all breaches are caused by human error. Companies need ways to precisely track the activities of their privileged users; otherwise, they are at risk of losing their credibility and reputation by being pressured into taking drastic actions. In the age of digital integration, leaving highly sensitive data unmonitored is like switching off all security mechanisms in your vault.
The financial sector is already highly regulated and has been for some time, even before the IT security law came into effect. The Payment Card Industry (PCI) Data Security Standard (DSS) offers rules for compliance. Now, companies need solutions that match these regulations, allow quick response to incidents (such as blocking or limiting access) and also allow user behaviour monitoring.
In case of a security breach, organisations must be able to analyse the situation and take the right measures. It is likely that the extent of the data loss in the example was much smaller than 90,000 customers, but if you are not able to tell, you have to take bigger steps that match the extent of your customers’ trust.