By Eleanor O'Connor – On
Data Security is especially important for organizations in the financial services sector. With high importance comes strict regulations and standards that are needed to ensure that sensitive data stays secure.
We spoke with two experts in data security and governance from DataSure24 to find out how organizations can maintain compliance with financial data security regulations and standards in 2020.
Data and Information Security in 2020 (1:45)
Years ago, cybersecurity concerns were all about servers and assets. The mindset on the topic of cybersecurity has now evolved into being primarily data focused.
What is the reason for this shift towards protecting data?
Think about it, whenever a company’s systems are compromised the first question everyone tends to ask is “what happened to the data?”
Today, the data and information security landscape is characterized by hyper-sensitivity (for a good reason) about data. It’s the primary concern for all involved.
The New York State Department of Financial Services (NYDFS) has developed cybersecurity regulations and standards for financial institutions to follow. The problem with solely looking at these regulations and standards though, is that they’re not conductive for easily building a thorough and comprehensive security program.
On the positive side of things though, the fact that the Department of Financial Services is focused on data security is a step in the right direction.
You can view the full NYDFS Cybersecurity Regulation here.
Keeping Sensitive Data Secure (3:35)
Traditionally, security related measures have fallen on IT departments’ shoulders.
According to Mark, data security should be a function that is separate from an organization’s IT department. The New York Department of Financial Services’ cybersecurity regulations emphasize this. They require that financial institutions have a Chief Information Security Officer (CISO), an individual that specifically focuses on providing data and information security for the organization.
Securing sensitive customer data should not be the focus of your IT department, but rather your CISO.
For smaller companies, finding and hiring a full time CISO can be expensive and inefficient. This is where Virtual Chief Information Security Officers (VCISOs) are useful.
Smaller companies can utilize a VCISO or “fractional CISO” that puts in 15-20 hours per month to help build their data and information security programs. This comes at a fraction of the cost of hiring a full time CISO. If a smaller company does choose to make a CISO full-time, they can have that individual take on multiple roles as long as they are continually able to properly secure data and information.
Hiring a full-time CISO or utilizing a VCISO is not only required by the Department of Financial Services, but is also an actionable step that small and big companies can take towards securing sensitive customer data and information.
Employees are your biggest asset, but also your biggest risk.
This is because they are often the first to be targeted and exploited during a data security breach. A preventative measure to take would be to implement security awareness training. This can be done by someone internally or by a third party company.
If it makes sense for your organization, your Chief Information Security Officer could play a role in the training, but normally the individuals that hold these roles tend to be more involved in the higher level security strategy.
Who is Impacted by Financial Data Security Regulations? (7:55)
Mainly financial institutions, but also the healthcare industry and others that have access to highly sensitive data similar to what a financial institution would have access to.
According to Mark, the clear definition of a financial institution is still somewhat of a gray area when it comes to the New York Department of Financial Services. The department’s regulations do contain a list of exemptions though to help you determine if they apply to your organization.
Data and Information Security in The Cloud (10:08)
When the cloud first came around, people would specifically avoid it due to information security concerns. 8-10 years ago though, cloud providers began to realize this was a large barrier for them. Because of this, cloud security has been ramped up significantly since.
The data and information security landscape is completely different today compared to years ago in regards to the cloud. Organizations are actually going into the cloud because of the high level of data and information security it provides.
All of the cloud providers have a shared security model that explains what is done on their end to secure sensitive data and information, but also outlines what security measures need to be taken on the organization’s end. This makes it a lot easier for organizations to know which actions to take to be fully compliant with the New York Department of Financial Services’ cybersecurity regulations and standards.
Overall, cloud providers have done a great job of making data and information security easy and straightforward for organizations.
Is Remote Work a Threat to Data and Information Security? (12:45)
There are some options that are pretty simple to implement that will ensure data and information security for your employees and the devices they use to work remotely.
Things like Host Intrusion Detection Software and other security software can be installed on your employees’ devices to block potential threats. With these, your organization also has the ability to see potential threats and those that have been blocked in real time.
Overall, there are a lot of technologies that are readily available and easy to implement that can protect your employees’ laptops, tablets and phones which makes remote work less of a threat to data and information security.
How to Promote Data Security Management for Your Organization (15:10)
Awareness surrounding data security management will come through educating your organization on the importance of it.
Here are actionable steps you can take to increase awareness on the importance of data security management in your organization:
➤Have a security assessment or audit conducted on your organization (this will allow you to locate the gaps in your current data and information security measures)
➤Gain executive buy-in on data security management (not just acceptance, but a strong understanding that encourages them to promote it from the top down)
➤Security awareness training for employees (needs to be a comprehensive program that’s viewed as an ongoing process)
These steps need to be taken to ensure that your business isn’t significantly impacted when an attack happens.
About Our Guests
Peter Ronca and Mark Musone of DataSure24 are experts in data security and governance. They are focused on helping small to medium size businesses deal with regulations surrounding security, without requiring a ton of internal resources. With DataSure24, businesses are able to outsource their security at a high-level.