5 Steps for Securing Customer Financial Data

Table of Contents

First, there is the reputational damage that comes from leaked data. Then there is the cost of cleanup, which typically runs between $3.86 million and $8.64 million. Finally, there are regulatory repercussions from violation of the patchwork of rules that govern financial data, including the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), California Consumer Protection Act (CCPA), and others.

Sensitive data that is insecure is the stuff that keeps security and compliance professionals up at night. And the scary part is that it happens all the time. Roughly 73 percent of businesses admit that they have encountered sensitive data leaks in the past year, according to Microsoft research.

Due to the high cost and stringent regulations around customer financial data, mitigating the risk of financial data exposure is a critical task for businesses that interact with such data.

Broadly, there are five key steps for ensuring that businesses are doing all they can to protect this sensitive data in an age where shadow IT is proliferating, employees are increasingly working from home on personal devices, and new technologies are opening up additional threats for data exposure.

Step 1: Define the Scope of Data to Protect

Customer financial data encompasses many possible pieces of data that can exist on many different systems and in many different formats.

Before customer financial data can be secured, it is important that security professionals define all the types of financial data that must be secured, including account details, financial records, recorded financial histories, personally identifying information (PII), etc. The formats and locations where this data might exist also must be defined, including the universe of possible databases, spreadsheets, reports and call recordings where customer financial data might live.

Undefined data cannot be protected.

Step 2: Categorize the Data

The security systems and procedures for customer financial data will vary depending on the category of data. The way that financial transaction information is handled and secured likely will be slightly different than the way a company handles data that gives access to a financial account, for instance.

So once the scope of customer financial data is established, categories should be defined for the various ways this data might need to be handled—and each type of data should be mapped to the appropriate categories. This categorization should factor in the various regulations that apply to the organization so data that is regulated by a given law is appropriately tagged and processed according to its regulatory requirements.

Step 3: Discover Where the Data Lives

The intended location of customer financial data is not where it always lives in practice. Even if there are strict protocols for handling customer financial data, it often is the case that some data has leaked out into other systems or migrated unintentionally to employee devices in the normal course of business. There might even be data stores that have gone unnoticed and contain customer financial data, such as a backup server that unintentionally houses customer reports.

Perform a scan of all corporate resources so the true location of all corporate data is known. This scan must be comprehensive so all data can be discovered and protected.

Step 4: Tag Data by Category

Automating security and compliance processes is essential for securing data appropriately. For automation to apply the right security and processes, however, each piece of data must be classified so automation processes know when and how to act.

So once the full universe of corporate data has been uncovered by data discovery, the next step is labeling each piece of data with the appropriate classifications as defined earlier in the categorization step.

Most businesses will want to leverage data discovery and classification platforms to automate the classification process, combined with a manual review of the classification to make sure all data is labeled correctly. If a modern classification solution is used for the tagging, this manual review mostly will entail double-checking that data has been classified appropriately.

Step 5: Secure Data According to Classification

Then there is the actual securing of customer financial data, the critical step that only can come after scope and categorization have been defined, as well as discovery and data tagging.

While the methods that a business uses to secure customer financial data will vary, they likely will include strict access controls, data encryption both in transit and at rest, firewalls and real-time threat scanning, and automatic logging of all data access, among other methods.

Security methods and processes likely will vary depending on the classifications that have been established earlier.

Whatever security methods are employed, the key takeaway is that securing customer financial data—or any sensitive corporate data resource, for that matter—hinges on discovery and classification. More than 90 percent of data breaches occur because of human error, and a failure to have the right preventative measures in place enables these errors. When sensitive data is known and classified, appropriate safeguards such as access controls and monitoring can be put in place.

For more on our Qostodian products and how it can simplify data discovery and classification, schedule a demo.

A propos de l'auteur

A propos de l'auteur

FR Lorem ipsum dolor sit amet, consectetur adipiscing elit. Etiam eu turpis molestie, dictum est a, mattis tellus. Sed dignissim, metus nec fringilla accumsan, risus sem sollicitudin lacus, ut interdum tellus elit sed risus.

Recommended for you

The high price of trust - the true cost of insider threats new
Organizations spend significant time and money mitigating external security threats.  While these efforts are absolutely necessary. ...
5 best practices for rolling out your insider risk management program
The way we do business is continually shifting. In the last three years, workforces have gone fully or partially remote, data has migrate...
The true cost of non-compliance - can you afford the risk
A tightening regulatory climate As data multiplies, so do the rules around collecting, using, and protecting other people’s personal, ...
Data classification and inventorying - The foundation of regulatory compliance
Succeeding as a business means capitalizing on data, and managing that information effectively means complying with regulations. These gu...
MTL Connect Oct 12-17 2021 Virtual Event
For the third edition of Montreal Connect, we’re happy to announce that Guy Veilleux, Head of Partnerships at Qohash will be speakin...
Qohash Launches New Qostodian Recon™ Product to Help Organizations Discover and Secure Their Sensitive Data
Qohash’s enterprise-grade data discovery technology is now available for mid-sized companies that want to identify and secure sensitive d...

Contact us​

Sensitive data inventory
Meet PII and PCI audits
Ensure GDPR, NYDFS compliance
Improve data governance
Drive SOC 2 certification
Insider threat monitoring
Lockdown endpoints
Detect policy violations in real-time
Expedite investigations
Quantify risk levels for the Board
Defying legacy limitations
What our customers say