Financial services firms are intertwined within many industries, which puts these firms among the primary data breach targets because of the perceived value of the data. These CPAs, tax advisers and brokerages may advise clients on how to properly protect vital information, but it’s also important that they focus on their own risks —for example, the unnecessary storage of redundant, obsolete or trivial information (ROT) — to create an internal culture of security and privacy.
“Any risk-based decisions need to be protected,” says Douglas C. Williams, CEO of Williams Data Management. “There are everyday actions and inactions that can put a company at risk for corporate espionage or an unintentional breach of information. The size of the business doesn’t matter. Companies need to focus on what information is carried with or accessed by employees and how it can remain protected at all times.”
Smart Business spoke with Williams about steps financial services firms should take to protect client data from a costly breach of information.
What is the most sensitive information financial firms have?
The most sensitive information is that which has to do with clients. Those personal information sets with traceable numbers — Social Security, financial accounts, date of birth, graduation dates, any and all information that links to that person can open up any door. That adds up to a personal dossier of a client and that’s got to be protected both digitally and on paper.
Do these firms have a blind spot when it comes to security and privacy?
Companies often store ROT too long. On average, 30 percent of data stored are not needed and should be destroyed. Such data may include personal information that can be used to obtain passwords or directly access accounts, which is a costly oversight. For example, Target Corp. reported it had incurred $248 million in expenses in the year that followed its 2013 data breach.
Client information that’s past its useful life — meeting notes, strategies, and customer information — is actionable if discovered by someone else.
Why do organizations still have ROT?
There are lots of ‘what-if’ questions that compel companies to keep ROT around: What if we need it? What if we get sued? What if we can use it for someone else? What if we want to get that customer back, or talk to their heirs and beneficiaries to re-establish a relationship?
There should be a process of identifying what information must be kept, why and for how long. This allows a firm to establish an end point of a document’s lifecycle, which avoids ROT, mitigates risks and reduces storage costs, which have a tendency to multiply exponentially.
How can financial firms create a culture of security and privacy?
It starts with the C-suite setting policies that dictate how data stored on or accessed through mobile devices are protected. Is that information password protected? Encrypted? How is it downloaded or how is it protected from being downloaded?
It’s been found that employees, whether by fraud or fault, account for 85 percent of data breaches. Of that, 75 percent of leaked company information is obtained physically and not through digital hacking — stealing documents from a company’s trash bin or a lost thumb drive, for instance. So any security policy must include methods of protecting all types of sensitive business information.
What can organizations do today to minimize their data and information security risks?
Start by identifying and classifying sensitive information, and put a data disposal policy in place to get rid of ROT.
Scale down accessibility of information through data monitoring, security controls and advanced technologies. Install video surveillance in restricted areas, and use keypad locks and other means of tracking entry to restricted areas.
Insights Compliance & Information Governance is brought to you by Williams Data Management