Bankers hear the same advice again and again: Protect your customer data. Strike that. Replace “advice” with “imperative.” No, wait.
“Urgent warning.” That’s more like it, given the tumultuous tenor of the times.
Fretting experts opine about data safety. The countless news streams of Facebook CEO Mark “mea culpa” Zuckerberg in front of Congress scream it. And last year’s disastrous data breach that hit 148 million consumers at Equifax—and the subsequent bungling that brought down CEO Richard Smith—hit especially close to home among the forces for good in financial services.
“We’re likely to see additional breaches,” warns Tim Erlin, vice president of product management and strategy for Tripwire. “The data is too attractive to hackers.”
“This will happen again, we just don’t know who or when,” adds Jim Trautwein, senior director of IT for Cornerstone Advisors.
And yet, all of this comes at a time when the business reality remains irrefutable: Banks (and customers) have much to gain when institutions gather as much customer data as possible and slice and dice it to learn everything they can to improve customer service as well as cross-sell and up-sell bank services.
How then can banks take data from their fortressed silos and move it to other sources—often to outside marketing firms or other service providers—without compromising security and perhaps making Equifax-like headlines?
One simple way to improve the security of bank data is to just limit the amount of data used for analysis. Anton Chuvakin, vice president of research for Gartner, points to a movement by European banks to do just that.
“Some Europeans believe one way to effectively reduce data breaches is to reduce the amount of data collected and moved around. If you’re not collecting as much data, it is easier to monitor who touches it,” Chuvakin says. “But I’m not sure that is a good solution.”
To be sure, limiting the amount or type of data used makes sense in some instances. Most data analysis, for example, doesn’t require a customer’s Social Security number, a set of digits lucrative to hackers.
That said, most of the data that banks deploy for analysis is needed.
And so, this reality check: “As banks move toward greater use of digital systems and move more data around their systems, they become more vulnerable to attack,” says Joe Fielding, partner with Bain & Co.
It's true that breaches at financial institutions as well as all businesses are becoming more common. In 2017, data breaches overall hit a new high of 1,579—up 44.7 percent from the prior year, according to the San Diego-based Identity Theft Resource Center. The financial services sector accounted for 134 or 8.5 percent of all breaches.
Financial institutions have always spent lots of time and money setting up secure systems for storing data. So why not put the same effort to secure the end points where data is used? “Banks need to keep their measures up to date and stay one step ahead of hackers,” Trautwein says. “And banks can’t rely on any one single measure of security. Rather, they need a web of different types of security so that if one is breached, the others will secure the data.”
The value of vigilance
While high-tech is great, sometimes basic vigilance goes further. For example, many banks use third-party firms and marketing experts to help them analyze their data. That may require making sure these outside firms that touch bank data are as secure.
“It’s not always new technology as much as constant surveillance,” says Erlin. “Banks need to constantly look at how they’ve configured their security systems and look for vulnerability. Look for holes and then patch them. A lot of the basics remain: strong access control and use of encryption technology.”
Experts add that not all institutions are equal in their efforts. “The difference between what a small credit union or community bank has to protect its data, from what a top-tier bank has, is often night and day,” Chuvakin says.
“Larger banks can throw more money at it than smaller banks,” Trautwein adds. “Smaller banks may spend an equivalent portion of their technology budgets on security as the big banks, but the total spending at big banks is a whole lot larger.”
Still, experts point out that small institutions aren’t automatically more vulnerable—so long as they monitor the third-party vendors they hire.
Damage control, in and away from the spotlight
If your bank suffers a breach, then what? Damage control on the PR front may prove as valuable as restoring data safeguards. Chuvakin notes that a strong post-breach reaction hinges on “the development of a communications plan to explain what happened to customers and the media.”
Customer reaction—and whether they learn of breaches from their bank or the media—is critical. Reading about a big data breach online can lead them to ponder their own bank’s security. What’s more, “Consumers are much more conscious of how their data is being used than they used to be,” Fielding says. “Anyone who has been a victim of ID theft knows it is often a years-long process to get everything straightened out.”
But while customers may insist they would change banks if their institution was hacked or unsecure, security may not top their list of concerns in choosing or switching banks. “I’m not sure security is as big of a factor with consumers as which one has the best rates or the nearest branches,” Chuvakin says.
Here’s where things get trickier. Consumers also want access to their bank data electronically—which often makes it vulnerable to outside attacks. “During income tax time, for example, they want to log on to the bank and pull up both investment and credit card records to help with filings,” Trautwein says. “They don’t want paper files anymore.”
With the April tax deadline recently passed, it remains to be seen whether consumer disdain for paperwork leads to breach headlines in the papers. All that’s for certain for now (besides taxes, of course), is that consumer education and communication must continue to play a critical role into 2018 and beyond.
Fielding sums it up this way: “Banks don’t want to come across as putting the burden on their customers. But they need to do more customer education around security.”
Fact: Industry data backs this up.
Want more Banking Strategies? Sign up for our free newsletter!
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications.
If you enjoyed, this article, check out our recent Executive Report: Fraud and cybersecurity: Staying steps ahead.