Mage Data

Category: Blogs – Others

  • Can Tools Really Stop a Data Breach? Hear from our CEO

    Can Tools Really Stop a Data Breach? Hear from our CEO

    As data is the new oil, more threat actors are looking for ways to obtain sensitive information, eager to use it for a variety of sinister purposes.

    Following a data leak, home users might experience identity theft while companies risk damaging their brand reputation and suffering financial losses.

    To discuss the best data privacy and security practices, Cybernews talked to Rajesh Parthasarathy, the CEO of Mage Data, which provides data security and data privacy software for global enterprises.

    What has the journey been like for Mage Data? How did it all start?

    Looking back now, the journey of Mage Data has been transformational, to say the least. Early on, at a time when the use of data by organizations for business requirements was beginning to get widely adopted, I realized that the biggest threat to a full-scale digital transformation would be the security of sensitive data. Securing the data privacy and security of every organization and solving these data security challenges laid the foundation for the formation of Mage Data™ (then MENTIS) in 2004. Our data security platform was built based on 20+ years of experience and research on security vulnerabilities and solutions. It was received with resoundingly positive feedback by prospects and customers alike. With a vision of enabling a seamless solution offering and service to companies across the globe, we set up the operational base for Mage Data in India in 2014.

    Over the years, Mage Data has cemented its presence on the global map as one of the forerunners of data security and privacy solutions. A testament to this also comes in the form of industry awards, with Mage Data receiving the Customer’s Choice award consecutively for the last two years. Today, Mage Data stands out in the market with its differentiated products that provide an integrated end-to-end platform enterprise solution that is strongly positioned to reimagine data privacy and security for enterprises.

    Can you introduce us to your data privacy solutions? What are their key features?

    The Mage Data Platform provides data security solutions across the lifecycle of sensitive data right from the time of its creation till its retirement from the data store. Our solutions can discover data, anonymize it in production and non-production environments, monitor activity within the data store, and finally retire and tokenize inactive sensitive data. These capabilities can be used to solve a host of various use cases in the privacy and security space that include:

    • Test Data Management
    • Database security
    • Cloud migration
    • Achieving regulatory compliance
    • Enabling secure analytics on data
    • Implementing attribute-based access control mechanisms

    All these solution capabilities can be implemented within a single platform seamlessly with utmost ease.

    In your opinion, what data privacy issues should more people be concerned about?

    A primary concern for people should be the use of data for services that they have not opted for. For example, if an individual authorizes a bank to use their data for savings account services, the bank should not be using that data to sell additional products like loans, credit cards, etc.

    It’s an individual’s personal data that is being monetized. Whenever anything is free, the individual ends up being the product. It’s time we start treating our personal data as private information that should be shared only when required and which is deleted once the specific task is completed.

    From an organization’s point of view, we live in a world where data is key to supporting innovation and unlocking different products or services required by people across the globe. Today there are different ways how organizations can derive insights from data without compromising its security or privacy, which has gained utmost importance.

    Many organizations across the world are suffering because of the increasing frequency and potency of data breaches, both internally and externally. This not only leads to bad press but also attracts huge regulatory fines through the privacy laws and regulations being adopted by countries worldwide.

    How do you think the current global events are going to affect the way cybersecurity is perceived by the general public?

    There is a slow but steady increase in the awareness of data security in the minds of the general public. Privacy regulations like GDPR and CCPA have been at the forefront of the news when it comes to ensuring data privacy and security. However, there is still a long way to go, and companies need to inculcate a culture of securing data across their enterprise data landscape. Today, I can see people reading the check-box clauses twice before submitting any form. This shows that there is awareness amongst the public as to what it is that they are providing their consent for.

    In your opinion, why do certain companies still fail to keep up with compliance and other security standards?

    Complying with the standards set by the regulators requires consistent effort and periodic reviews. While there are outliers to this, most companies employ data security practices merely as a tick-in-the-box solution. Data security for one cannot be a one-time job. Security and compliance standards keep evolving, and regulators keep raising the bar for data security to ensure that data remains secure. Keeping up with such stringent standards requires inculcating them within the very DNA of the organization. Ensuring the security and privacy of data is not a good-to-have but a must-have practice. So, not having a robust data security approach within the company should ideally be ringing alarm bells for the management.

    What risks can customers be exposed to if a company they trust struggles to ensure compliance?

    Misuse of their personal data is the biggest risk that customers face when a company they trust fails to ensure compliance, thereby failing to secure their personal information. Breach of personal data has extraordinary ramifications depending on the classification of data that has been breached. It can range from simple prank calls to serious identity thefts that can result in financial losses to the customer.

    What security tools or practices should users adopt to protect themselves online?

    Research has found that phishing contributes to the greatest number of data breaches, and to prevent this, people should always be aware of their online activity and what links they click. An individual who is completely aware of what they are doing online can greatly reduce the risk of inadvertent data loss due to phishing and visiting other malicious links. Security tools are present only to aid individuals in this endeavor, and no tool can completely secure or mitigate the loss of data. Tools help in reducing the impact of a breach and can never guarantee immunity from a data breach.

    Talking about the future, what predictions do you have for the data security landscape for the upcoming years?

    The data security landscape is evolving at a fast pace, and there is a lot of research that states it’s just going to keep growing. Gartner, for example, predicts that data security solutions are now consolidating into data security platforms – a single solution that can ensure the security of data across its different states (at-rest, in-transit, in-use) and use cases. The increasing adoption of the Cloud is also fuelling the rise of data security. As a vendor in the data privacy and data security space, it is an exciting time for us, and the future looks to be full of new opportunities and challenges. Avenues such as cloud security, privacy-enhancing technologies, and dynamic data masking are abundant for us to develop innovative solutions and assist organizations in championing their data security initiatives.

    And finally, what’s next for Mage Data?

    Mage Data has just come out of a two-year transformation period, and the organization is primed and ready to address the evolving needs of the privacy and security market. By strengthening the product suite to cover more data stores and establishing strategic partnerships with vendors in adjacent areas and markets, Mage Data is looking to holistically develop its product portfolio to become the single preferred vendor for organizations looking to have robust data privacy and security solutions,

  • The 7 data security habits of highly effective CISOs

    The 7 data security habits of highly effective CISOs

    The CISO plays a critical role in identifying the security risks in an organization and creating a comprehensive security plan to mitigate those risks. But most of the time the focus is on mitigating external threats at the cost of ignoring the internal threats from employees or contractors who are dealing with the data day-in and day-out. In addition to breaches of an internal bad actor stealing some customer data or viewing some confidential information that they are not supposed to view, there is also the penalty of non-compliance that the organization may face by knowingly or unknowingly providing access to sensitive data to external suppliers or contractors. The myriad of regulations around data security like PCI-DSS, HIPAA, GDPR, CCPA and Cross-border data security regulations make this an ever-growing challenge.

    Highly effective CISOs have a balanced view of both the external as well as internal threats and undertake initiatives that take a holistic approach of viewing the entire lifecycle of the data within the organization. Here are the seven most effective practices that the CISO can employ to take control of the data within the organization.

    These effective CISOs:

    1. Have intimate knowledge of their data

    In most organizations, getting to know the data stops with creating a data discovery platform which stores the source and lineage of all the data within the enterprise. While this is a critical first step, this alone is not sufficient. An effective data security program also takes the effort of identifying sensitive data and marking those data sources as secure. The context of sensitive data could be different for different groups within the organization, and each group could be spread out across the globe, which also brings in the need to comply with different regulations that are specific to that part of the world.

    2. Don’t rely on business groups to tell them where the sensitive data is located

    The various business groups within the organization use the systems that are commissioned for their use in a wide variety of ways. The end users using the system are seldom aware of the classification of different kinds of sensitive data, and sometime populate the system with such sensitive information in unintended fields or files. It is not unusual for the IT team to discover customer names and social security numbers populated in a “Description” column or critical patient information stored in word documents in their local drives. Relying on the end users of the systems to identify fields or locations where critical information is stored results in an incomplete discovery process, leaving the door open for data security related risks to materialize. An effective CISO would deploy tools to periodically sample the data in these critical systems to identify sensitive data sources rather than relying on the tribal knowledge of end users.

    3. Know that data is a liability and how it can be converted into an asset

    The simplest way to protect data within an organization is to restrict access to that data to only the specific set of eyes that need to view it. But this creates a silo-effect within the organization where data is hoarded within specific groups. Operations or Analytics teams that would want to collate data from different parts of the organization for reporting or apply Machine Learning models to predict future trends are at a disadvantage, since getting access to this data becomes embroiled in the red tape of getting multiple approvals, manual cleansing of sensitive data from the data feeds etc. A testing team that would have benefitted from getting a masked copy of the production data with all the sensitive fields masked, now must rely on creating synthetic data that might not mirror real-life scenarios. Deploying an effective set of data masking tools that would use different techniques of data encryption, data anonymization or data masking depending on the use case of how the data would be used would be the key to making effective to use of the data, while not compromising on the security aspects.

    4. Are aware that privacy of data is applicable not just to the end users of the system but the maintainers of the system too

    In many instances, while the end users have a strict authentication and authorization mechanism to view or not view the data, these kinds of security mechanisms are missing for the administrators of such systems. A DBA querying data directly from the production database would have a complete view into the credit card numbers of the customers, or a L1 support representative sitting in India office would be able to view the logs with sensitive information which are tagged as US-eyes-only. Although there might be strict non-disclosure agreements with these parties, there could be significant risks associated with this last mile oversight. Deploying security options like database proxy level encryption and dynamic data masking mitigates these last-mile risks, at the same time ensuring that the level of service is not affected.

    5. Understand that security is not just about creating restrictions it is also about monitoring how effective those constraints are

    Data security is not a one-time set of actions. As the threat landscape widens and the regulations evolve, it is a constant balance between going overboard in some of the aspects or under-investing in a few other areas. A simple approach would be to deploy monitoring mechanisms in the areas of under-investment so that it serves as a good early warning mechanism to identify potential security risks. For example, are users accessing the production system beyond the usual work hours? Is any user querying unusual amounts of data from a table marked as “sensitive”? If there can be a simple tool that can monitor these kinds of “unusual” usage and report it, it will serve as a quick deterrent against these malicious actors. In addition, conducting a periodic audit of the controls that are deployed across the different systems to ensure their effectiveness and currentness is key to an effectively run security program.

    6. Reduce the level of data that needs to be secured thereby reducing the level of effort involved in securing the data

    This might sound counterintuitive, but this is the most overlooked aspect of data security in any organization. As the level of data in an organization grows, so does the efforts involved in tracking, tagging and securing that data. There are multiple robust mechanisms to extract and archive this data into a reliable storage mechanism, at the same time ensuring the business users that they would have access to this data when they need it in the future. Such mechanisms reduce the attack surface of the amount of data that needs to be secured, at the same time improving performance because of the reduced data load.

    7. Must maintain a delicate balance between Compliance to regulations and Usability of data

    Regulations with respect to personal data protection and individual’s rights over the data that organizations maintain are on the rise and will get stricter and more granular in the coming years. This presents an ever-growing challenge to the teams that are building and maintaining the internal systems within the organization to comply with the multiple data subject access requests that could arise because of such regulations. Knowing where such personal data resides within the lakes of data within the enterprise is the first challenge. This data might be intermingled with other business data that is critical for the operation of the system and cannot be easily deleted or forgotten. Techniques like masking or redaction of personal data are key to ensure that the regulation is adhered to without compromising on the usability of the system.

    Related blogs:

    The Comparative Advantages of Encryption vs. Tokenization vs. Masking

  • SOX Compliance and Data Privacy: What Companies Need to Know

    SOX Compliance and Data Privacy: What Companies Need to Know

    The Sarbanes-Oxley Act (SOX) was passed by the United States Congress in 2002 to protect the public from fraud by business entities such as corporations. The purpose of this act is to increase transparency in financial reporting with a formal system of checks and balances. SOX brings a legal obligation to what was already good business practice. Financial security controls implemented for SOX compliance have a lot in common with the best practices for data protection, which helps prevent data theft. Prioritizing cybersecurity reduces the risk of data breaches, whether by insider theft or cyberattacks.


    Which Companies Need SOX Compliance?

    The Sarbanes-Oxley Act applies to all publicly traded companies in the United States. It also applies to publicly traded foreign companies or wholly-owned subsidiaries that do business in the United States. Tangentially, SOX also applies to auditors and accounting firms that audit SOX-regulated entities. Finally, any private company planning an IPO should be SOX compliant before going public.
    Private organizations (including companies and nonprofits) are not required to be fully SOX compliant, though they may be affected in some cases. For example, the Sarbanes-Oxley Act contains language about penalizing any organization that knowingly falsifies or destroys financial data.


    Data Retention vs. Data Protection

    The requirement to retain some financial data can create problems. In many applications, best practices dictate that sensitive data be deleted when no longer needed: Companies should only retain the minimum amount of sensitive data, and for the absolute minimum amount of time possible. However, data cannot be erased or destroyed if it is required to prove SOX compliance, which is where the tension occurs.


    This may seem like a catch-22, but data privacy laws do account for instances when data retention is mandated by other reporting requirements. SOX does not normally contradict GDPR, CCPA, and other data privacy regulations, for example. All of these regulations exist to encourage greater accountability on the part of companies, and (despite potential challenges) policies are not drafted to create impossible situations.


    Exceptions: When SOX and Data Privacy Regulations Collide


    SOX typically applies to the company’s financial data, not to any individual’s personal data. However, there are areas where a company’s financial data overlaps slightly with an individual’s data. For example, companies have to retain customer invoices for five years, tax returns for seven years, and payroll records forever. This is financial data related to the company, but it is also likely to include sensitive information related to individuals.


    Can Data Be Safe and Useful?


    A data privacy strategy is tested in these kinds of situations, where data must be retained, but also kept completely secure. There are numerous steps to a comprehensive data protection solution. First, it is important to identify and locate all sensitive data throughout the entire enterprise. From there, a plan should be put in place for all sensitive data discovered.

    At this point, it is crucial to understand the difference between data encryption, tokenization, and masking. Encryption is an excellent solution for data that will be stored for the long term. Tokenization is ideal for data that must be moved or migrated. Masking is a great way to protect sensitive data while preserving its utility. Depending on an organization’s specific needs, there are applications where all three techniques are useful (both in the context of SOX compliance as well as the broader data privacy strategy).


    Benefits of SOX Compliance


    Ensuring SOX compliance creates benefits that ripple across an entire organization. It leads to more consistent financial reporting, which appeals to shareholders. Beyond the benefits of superior financial reporting, compliance with SOX also reduces exposure to data breaches. Preventing cyberattacks helps reduce costs and protect the brand. Finally, SOX compliance makes it easier to navigate an audit and avoid penalties.


    Penalties of SOX Non-Compliance


    The penalties for SOX non-compliance can be severe, and may occur in a number of categories. There may be fines, invalidation of directors and officers (D&O) liability Insurance, and removal from public stock exchanges. Individual executives, especially CEOs and CFOs or any others who intentionally submit incorrect information during a SOX audit, may be faced with millions of dollars of fines and lengthy prison sentences.


    Preparing for a SOX Compliance Audit


    As with any other type of audit, the best way to prepare is to stay prepared. In the case of SOX compliance, that means conducting a thorough discovery of all sensitive data, then protecting that data appropriately. When a company is audited for SOX compliance, they must prove they’re using the relevant controls to ensure appropriate data protection and accurate financial reporting.


    Key Sox Compliance Requirements


    There should be no need to scramble to prepare for an audit, because the strategy should already be established and maintained. That said, there are six especially important areas to consider before a looming SOX compliance audit:

    1. Section 302 – Corporate Responsibility for Financial Reports – This section states that the CEO and CFO are responsible for the accuracy, documentation, and submission of financial reports and the internal control structure to the SEC. These two executives must also establish and maintain SOX controls and validate their internal controls during the 90 days prior to their report.
    2. Section 404 – Management Assessment of Internal Controls – This is considered to be among the most complicated parts of SOX compliance, and is therefore among the most expensive. All annual financial reports must include an Internal Control Report confirming that management is responsible for an adequate internal control structure, and must include management’s assessment of the effectiveness of their own control structure. This report must include any shortcomings, and the accuracy of the report must be validated by an independent auditor.
    3. Section 409 – Real-Time Issuer Disclosures – Companies must immediately disclose any material changes in operations or financial condition, in order to protect investors and the general public.
    4. Section 802 – Criminal Penalties for Altering Documents – Unsurprisingly, it is illegal to tamper with investigations in any way. There are penalties for any employees, accountants, or auditors who willfully violate normal procedures to influence investigations.
    5. Section 806 – Employees who disclose corporate fraud are protected. Any retaliation over whistleblower complaints can lead to criminal charges.
    6. Section 906 – Certifying a fraudulent or otherwise misleading financial report can carry a criminal penalty of upwards of $5 million in fines and 20 years in prison.
      The commonality between these six sections is that honesty and transparency are of utmost importance for SOX compliance. When a company has a robust security strategy and other necessary controls in place, the only thing to do for a SOX audit is to let the auditors do their jobs while you accurately report the appropriate information. The focus should be on maintaining SOX compliance at all times, rather than preparing for an upcoming or potential audit.

    Data Protection for SOX Compliance and Beyond


    The same capabilities a SOX auditor will look into are part of a good data protection plan anyway. Areas to consider include, but are not limited to, the following:

    • Access – Is there a least permissive access model in place, such that every user has the minimum access required to do their jobs? Access should be controlled with physical controls (such as doors, badges, locking file storage) as well as technological controls (login policies, permission audits, and least privileged access).
    • Change Management – Are there defined processes to install new software, add new users, modify databases, or change applications that relate to finance?
    • Data Backup – Are all financial records backed up off-site in a SOX-compliant manner?
    • Security – Can you demonstrate that you are protected against data breaches?

    SOX provides organizations with a framework to help them manage their financial records. It is the legal minimum, however, and is not intended to be a full replacement for a thoughtful data protection plan.

    The Sarbanes-Oxley Act lays out measures every company must take, and it falls upon individual business leaders to take additional steps based on their specific situations. Contact a cybersecurity partner to learn more about Data Governance, or schedule a demo to see specifically how a cybersecurity plan contributes to SOX compliance.

  • A Data Protection and Data Privacy Glossary

    A Data Protection and Data Privacy Glossary

    The vocabulary of data protection seems to change every few years. Legislators pass new regulations, user expectations rise, and new technologies become available. It’s hard enough to keep up with the jargon, never mind best practices.

    Those responsible for implementing data privacy solutions need to “talk the data privacy talk” before walking the walk. This helps ensure that you can be advised on the right set of solutions to solve the real problems at hand—and, hopefully, never have to guess whether or not you’re protected. This glossary provides definitions and explanations for 20+ data protection words, phrases, and concepts.

    Anonymization

    Data anonymization helps companies maximize the utility of data while preserving compliance. Anonymization removes personally identifiable information (PII), so the data cannot be tied to individuals if leaked or misused. Anonymizing the data eliminates privacy concerns so an organization can retain information for forecasting and other analysis. Businesses must avoid the most common data anonymization mistakes to keep their user information private.

    Big Data

    Big Data refers to data sets that are too large or complex for traditional data software solutions. Organizations are receiving and retaining increasing volumes of data, and modern data sets contain a much larger variety of information.

    California Consumer Protection Act (CCPA)

    The CCPA is one of the most significant data privacy regulations. The regulation was signed into law in June of 2018 and went into effect at the beginning of 2020. The CCPA gives users increased data privacy rights, and it’s changing the ways businesses in the United States collect and use information.

    California Privacy Rights Act (CPRA)

    The CPRA was passed in November 2020 and goes into effect at the beginning of 2023. It extends the CCPA, bringing additional protections for consumer information and increasing fines for violations. The regulation applies to all companies doing business in California or with customers within the state.

    Database Activity Monitoring (DAM)

    Database activity monitoring is a security technology for detecting fraudulent, illegal, or otherwise inappropriate behavior within a database. DAM gives security professionals the ability to monitor access to sensitive data in real time. Immediate, ongoing reporting helps keep an organization audit-ready.

    Data Minimization

    This principle means an organization must limit the collection of personal information to what is relevant and necessary. Furthermore, organizations should retain information only for as long as needed to satisfy a specific purpose. The GDPR (defined below) was one of the first to establish guidelines for data minimization.

    Data Obfuscation

    This term is often used interchangeably with data masking. Data obfuscation is the process of modifying sensitive data to protect the privacy of individuals. The process eliminates opportunities for hackers or other unauthorized parties to derive value from the data. At the same time, data obfuscation techniques can preserve the utility of data for authorized parties and software.

    Data Privacy

    Data privacy has to do with collecting, storing, and using data responsibly. Data privacy efforts focus on ensuring that only the appropriate parties have access to information. Explore the differences between data privacy and data protection to gain a deeper understanding of each.

    Data Protection or Data Security

    People often use data protection and data security interchangeably. These terms refer to strategies for ensuring the availability and integrity of data while guarding against threats. While there is some overlap with compliance, it’s worth noting that compliance with regulations is not the same as complete data security.

    Data Retention

    The principle of data retention outlines procedures for meeting requirements around data archiving and management. Organizations must store some information for specified periods to comply with government or industry regulations. Occasionally, there is tension between data retention and data privacy.

    Data Scrambling

    This method of obfuscating or removing confidential data is irreversible. Data scrambling techniques involve the generation of randomized strings that cannot be restored to the original information.

    Data Scrubbing

    Also known as data cleaning or data cleansing, data scrubbing is the process of fixing erroneous information within a data set. Examples that require scrubbing include incomplete, incorrect, and duplicate data. Data scrubbing is a two-step process. First, identify errors in the data set. Then change, update, or remove data as needed to correct issues.

    Data Subject Access Rights

    The right of subject access says individuals are entitled to obtain copies of their data. Technologies like data subject access rights automation help organizations respond to requests more efficiently.

    De-identification

    De-identification of data is a type of dynamic data masking. This process involves stripping identifiers from collected data. Removing links between data and personal identities helps protect the privacy of individuals.

    Encryption

    Encryption is the process of encoding data to protect the information from unauthorized access. Typically, an algorithm will turn plaintext data into unreadable ciphertext. This helps when sharing data with third parties, which may then decrypt the information with the decryption key.

    General Data Protection Regulation (GDPR)

    Adopted in 2016 and effective in May 2018, the GDPR is a model for many other data privacy laws. The regulation is part of EU privacy law and human rights law. The GDPR gives individuals more control over their personal data and supersedes other data protection regulations for international business.

    Health Insurance Portability and Accountability Act (HIPAA)

    This act, passed in 1996, is a federal law in the United States. It established national standards to prohibit the disclosure of sensitive health information without the patient’s disclosure.

    Homomorphic Encryption

    is a specialized type of encryption designed for data in use. Typically, encrypted data is transferred, decrypted, and then analyzed. Homomorphic encryption allows data to be valuable without being decrypted first.

    Masking

    There are multiple types of data masking. Static data masking techniques like tokenization and encryption protect data in pre-production and non-production environments. Dynamic masking protects data in production environments when it’s in transit or in use.

    Personally Identifiable Information (PII)

    PII is any personal data that relates to an identifiable person. Information such as names, addresses, and Social Security numbers are PII because they can directly identify an individual. Combinations of other information such as age, race, gender, birth date, and more can also be PII.

    Protected Health Information (PHI)

    As defined by HIPAA, PHI is any data related to an individual’s health. PHI also includes the healthcare provided to an individual or payment by the individual for said healthcare. PHI is a top consideration when developing.

    Personal Data Protection Act (PDPA)

    The PDPA is a piece of data protection legislation from Singapore. It passed in 2012 and regulates the way organizations in the private sector can process personal data.

    Privacy-Enhancing Technologies (PETs)

    PETs are technologies to maximize data privacy while empowering individuals. These technologies help organizations get more from their data without compromising privacy or security.

    Pseudonymization

    Pseudonymization is the process of replacing sensitive data with a reversible, consistent value. However, this brings increased risks of reidentification.

    Reidentification

    The phenomenon of having personal data extracted or inferred from a source, usually as the result of bad actors attempting to steal that data. For example, a classic case of reidentification occurred when New York City released data on taxi travel, but formatted the data in such a way that it was trivial to recover personally identifiable information of drivers, such as income, home address, etc.

    Sensitive Data Discovery

    As organizations store increasing volumes of data, it becomes crucial to discover sensitive information that may be hidden or forgotten. Sensitive data discovery is the first step in any data privacy and data security strategy. After all, you can’t protect what you don’t know.

    SOX Compliance

    Outlined by the Sarbanes-Oxley (SOX) Act, involves annual auditing of public companies for accuracy and security in their financial reporting. To achieve SOX compliance, companies must keep data secure, track attempted breaches, keep event logs, and prove compliance for the most-recent 90-day period.

    Tokenization

    Like encryption, tokenization replaces plaintext data with an algorithm-generated value or string of values. In tokenization, the original data is retained in a secure server. The generated token can be passed to that secure server to retrieve the original information.

    Getting Started With Data Privacy and Data Security

    To see how data protection and data privacy concepts fit into a comprehensive product suite, schedule a demo with Mage Data. We’re happy to address your specific questions and tailor the demo to fit your requirements.

  • Data Security Challenges in Financial Service Industry

    Data Security Challenges in Financial Service Industry

    The industry most targeted by cybercriminals is the financial services industry. Because of the sheer volume of sensitive financial data carried by this industry, it serves as a hotspot for cyberattacks. 47.5% of financial institutions were breached in the past year, while 58.5% have experienced an advanced attack or seen signs of suspicious behavior in their infrastructure.

    There are also quite a few regulations that govern this industry in specific, such as the PCI-DSS (Payment Card Industry Data Security Standard), GLBA (Gramm-Leach-Bliley Act, aka the Financial Services Modernization Act), and BCBS 239 (Basel Committee on Banking Supervision’s regulation number 239). Although the industry is heavily regulated, it has a significantly high data breach cost at $5.86 million2. So, data falling into unauthorized hands not only results in non-compliance for the organization but also puts it at financial risk due to the high cost of data breaches

    Challenges

    Third-party risks

    The use of third-party vendors is one of the major forces behind the cybersecurity risk that threatens financial institutions3. Most organizations work with hundreds or even thousands of third parties, creating new risks that must be actively handled. The financial sector has massive third-party networks that pose new weak spots in cyber defense. In the next two years, we can expect to see an exponential rise in attacks on customers, partners, and vendors4. Without continuous monitoring and reporting, along with the use of critical tools to do so, organizations are vulnerable to data breaches and other consequences.


    Data transfers (cross-border data exchanges)


    The most fundamental challenge is to keep your private data private. Given that the financial sector produces and utilizes a massive amount of sensitive data, and is highly regulated, cybersecurity becomes paramount. Adequate measures are needed to protect data at rest, in use, and in motion.
    Security concerns
    Problems arise with data security when employees, security officials, and others tasked with protecting sensitive information fail to provide adequate security protocols. They may become careless about leaving their credentials around at home or in public places. Other issues arise when networks and web applications provided by institutions don’t have enough safeguards to keep out hackers looking to steal data.
    According to SQN Banking Systems, the five biggest threats to a bank’s cybersecurity include:
    • Unencrypted data
    • Malware
    • Non-secure third-party services
    • Manipulated data
    • Spoofing

    Evolution of technology and the threat landscape

    Technology evolves daily; what we’re using now might be obsolete in the coming year. At the same time, cybercriminals are also equipping themselves to face technological advancements head-on. Looking at the alarming number of cybercrimes in the past year, they are much advanced than the technology we are using. In such a scenario where criminals are always one step ahead of the organization, blocking threats becomes a difficult task.

    Evolving customer needs and organizations

    Just as technology evolves, so do organizations and the way they function. Customer needs are ever-increasing, and they want quick solutions. What customers might not realize is that appealing technology comes with its set of risks. Moreover, there probably isn’t a financial institution today that hasn’t explored digital and mobile platforms. As they continue to keep expanding and using these platforms to cater to their consumers, they’re incidentally open to cyber risk exposure. Retaining customer confidence while meeting their growing needs to newer technologies becomes a complicated process.
    Remaining compliant
    Alongside dealing with the challenges mentioned above, it is imperative that financial institutions also put in the effort to stay compliant with laws such as the GDPR and CCPA to avoid hefty fines and other concerns such as revenue loss, customer loss, reputation loss, and the like.


    Solutions

    • Monitor user activity for all actions performed on sensitive data in your enterprise.
    • Choose from different methods or select a combination of techniques such as encryption, tokenization, static, and dynamic data masking to secure your data, whether it’s at rest, in use, or in motion.
    • Before this step, sensitive data discovery is a must, because if you don’t know where your data is, how will you protect it?
    • Deploy consistent and flexible data security approaches that protect sensitive data in high-risk applications without compromising the application architecture.
    • Your data security platform should be scalable and well-integrated, which is consistent across all data sources and span both production and non-production environments.
    • Finally, ensure the technology you’re implementing is well integrated with existing data protection tools for efficient compliance reporting and breach notifications.


    Conclusion


    If financial institutions think they can dodge cyberattacks with the help of mediocre data security strategies, recent heists would’ve proved them wrong. And despite prevention and authentication efforts, many make the mistake of thinking anomalous and unauthorized activity will cease to occur, which is unfortunately not the case. While cyber-risk is inevitable, by implementing the right tools, and a well-defined approach to cybersecurity, financial institutions can be more prepared as threats evolve.

    About Mage Data


    Our data and application security platform is a single integrated platform that protects sensitive data across its lifecycle, with modules for sensitive data discovery, static and dynamic data anonymization, data monitoring, and data minimization. Our solutions in data security are certified, tested, and deployed across a range of customers all over the globe. We have successfully implemented our solution in many large financial institutions – top private bank in the Dominican Republic, one of the largest Swiss Banks, a global financial services software manufacturer, the world’s largest credit rating agency, and a top commercial bank in the United Arab Emirates.

    How a Swiss Bank is effectively handling data security?

    A top Swiss Bank was looking to optimize costs by offshoring IT application development while ensuring compliance without compromising on sensitive data controls. This posed a need for sensitive data discovery and masking both production and non-production environments. In a highly regulated environment, they were able to deploy our product suite, a sophisticated solution that met their needs and was able to successfully achieve secure cross-border data sharing and sensitive data assessment for cloud migration and compliance.

    You can download the case study here: Mage Customer Success Stories – Comprehensive Security Solution for a Top Swiss Bank

    References


    1) Bitdefender – Top security challenges for the Financial Services Industry in 2018
    2) Ponemon Institute – Cost of a Data Breach Report, 2019
    3) PwC report – Financial services technology 2020 and beyond: Embracing disruption
    4) Protiviti – The Cybersecurity Imperative: Managing Cyber Risks in a World of Rapid Digital Change
    5) NGDATA: The Ultimate Data Privacy Guide for Banks and Financial Institutions