10 Sep Change and Climb – Data Access and Security
With the introduction of GDPR a couple of years ago most firms have to give considerable thought to how they manage the personal data they hold. Finance sector firms face the added burden of satisfying FCA legal instruments and other security standards such as PCI DSS.
In addition to adhering to a broad range of legislation, the FCA also requires firms in the sector to record and retain vast quantities of data, much of which falls under the scope of GDPR. The FCA’s ‘Senior Management arrangements, systems and controls sourcebook’ outlines the recordkeeping requirements of firms. From telephone and email communications and employee records to conflict of interest records, accounting history and much more; we understand how data-heavy finance can be.
Due to the volume and extremely sensitive nature of much of this data, having controls in place to ensure data security is extremely important. Sensitive information such as national insurance numbers, payment card information and banking details can be used to perform identity fraud if it falls into the wrong hands.
We’ve established that GDPR and the FCA are two of the main legislative concerns of firms in the sector, but what do they say about data security specifically?
GDPR’s ‘security principle outlines a business’ obligations when it comes to handling data securely. It states that data should be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
“Appropriate technical measures” refers to the application of IT to ensure data security.
The FCA’s advice is broader, but the ‘systems and controls’ section of the SYSC sourcebook outlines some of the expectations of firms with regard to the management of personal data.
“A firm should have appropriate systems and controls in place to fulfil the firm’s regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.”
The ‘General Organisational Requirements’ section of the SYSC sourcebook also states that a firm must have…
“effective control and safeguard arrangements for information processing systems.”
It also instructs that firms must-have “sound mechanisms” in place in order to:
“Minimise the risk of data corruption and unauthorised access”
“‘to prevent information leakage.”
Additional challenges of our new working world
2020 has been a tumultuous year, and while we’ve seen a gradual return to normal working life, many companies are choosing to retain the remote working arrangement adopted earlier in the year – at least to some extent. Remote-working can bring many benefits to both employee and employer such as reduced overheads, lower absence rates, better retention and in many cases improved productivity – so it’s well worth adopting the practice in some form as we look beyond the Covid-19 pandemic.
However, data security can be more of a challenge with a remote workforce, particularly in data-intensive, compliance heavy sectors like Finance. There is a lot to consider…
- If staff are using personal devices are this backed-up? Who has access to the device? Are devices being properly maintained with security patches regularly installed?
- Can you leverage control over your data? Could files end up in insecure locations? Could digital copies of sensitive documents end up misplaced?
- How are you able to record communication for compliance purposes? Does your remote team have the technology required to do this?
- Do you have the oversight required to ensure GDPR compliance?
A remote finance team, therefore, needs convenient access to a large file resource that can be centrally governed to ensure data security and compliance.
Identifying and Addressing security vulnerabilities.
Back in 2008, the precursor to the FCA (the Financial Services Authority -FSA) published a report which examined data security practices in the financial services sector. While this report is now 12 years old, much of its content remains useful today and it provides many examples of ‘good practice’ still relevant in our modern working world. It mentions the following controls as useful ways to protect sensitive data:
- Access controls. It’s important to review access rights granted to employees when they join a company, when they change the role and when they leave. Today, consider how you can extend and remove access remotely. How would you go about removing access permissions for a remote employee who’s just left your company or adopted a different role requiring different permissions? Having tools in place to ensure that access can be centrally managed is vital.
- Strong password protection. The report stresses the importance of accounts being protected with strong passwords. While this advice remains relevant today you can also consider additional access criteria such as two-factor authentication to further protect accounts.
- Monitoring access to customer data. The report highlights the possibility of staff accessing customer data for illicit purposes, to commit fraud for example. In the modern context, this again ties into having the ability to govern your data centrally – controlling who accesses what on a need-to-know basis. Modern cloud storage solutions also ‘timestamp’ file access so any suspicious activity will leave a data trail.
- Effective Authentication procedures. The report stresses the importance of protecting the customer’s identity. This involves the authentication process and the secure handling of customer data. In the modern context, the customer may be required to send copies of various forms of ID to verify their identity. This data requires extremely secure handling; consider end to end email encryption to protect sensitive information in transit, ensure such files are backed up using the 3-2-1 backup rule and make sure storage devices are safeguarded with Anti-Virus software and Firewall protection.
- Controlling the Internet and Email use. The report talks about the inherent risks involved with unrestricted Internet and Email. Highly relevant today; as malicious sites, Email Phishing scams and infection by malicious software (particularly ransomware) present a serious danger to corporate data. By issuing company-controlled devices to your staff configured with web filter, anti-phishing software and a well-configured firewall you can help safeguard your data from most online threats.
- Laptop Security. The report mentions the particular risks of portable devices such as laptops present. This is particularly relevant today with this year’s increase in remote working. It mentions the importance of encryption, and while this remains an essential component of mobile device protection, today employers can benefit from Mobile Device Management Software (MDM) which allows remote devices to be ‘micro-managed’ from a central command portal as though they were part of a physical network. Having ownership of, and complete administrative control over the devices your staff use for work is the ultimate way to ensure data security.
Choose an IT partner who understands your struggle.
In a highly regulated environment such as the finance sector, it’s important to have partners who understand the constraints within which you operate.
With years of experience supporting clients in the Financial Services sector, we understand your struggle. Firms in your sector typically want quality solutions that minimise risk while empowering productive workforces. They want the best, zero-compromise technology that enables exceptional service delivery while ensuring regulatory compliance through the implementation of sound process and data controls.
There is a way forward
Urban Network has years of experience in deploying efficient modern workplace solutions, which are tailored to your working practices and have security best practice built-in by design.
To learn more about tackling your challenges, please get your free copy of our ‘Change and Climb’ guide tailored to businesses in the financial sector.
We welcome the opportunity to provide you with a free, no-obligation discovery call – in which we’ll offer guidance in helping you answer the questions contained within this article, and map-out solutions to tackle those challenges, quickly, before they become an issue.