As banks and financial services institutes (BFSI) companies across the region continue to deal with the COVID-19 pandemic, ripple effects are seeing the uptake of open banking and banking ecosystems grow.
However, as more data is generated and stored in “safes” within the business, more locks and keys appear – meaning more employees are having access to sensitive data. Over time, it can be difficult to keep track of who holds these keys.
In the financial industry, data is the currency of business and when skeleton keys to sensitive financial data are misplaced or misused, the cost to businesses can be extensive – with a study by Gartner placing this amount upwards of USD 15 million per firm.
This begs the question: Who holds the key to sensitive financial data in the organisation, and should they?
The disadvantages of fragmented data ecosystems
Financial data runs in the veins of BFSI digital infrastructures. Employees across different departments such as product managers, department managers, and operations groups may have access to the data warehouse and data marts.
Keys are scattered everywhere across the organisation—if you don’t already regularly review what users have access to sensitive data, now begins the hunt to collate a list of users with access to these databases, database backups, and system administrators.
Changes need to be known, documented, and access updated or revoked to reflect those changes. Employees may switch teams or have responsibilities shift, often maintaining unnecessary access for long after those changes have happened.
There’s room for improvement in communication and process when it comes to updating system access changes to reflect employee changes sooner rather than later to reduce risk. Shadow IT – where access isn’t audited and often those systems aren’t monitored, or accurate documentation kept – presents additional challenges in access management.
Data that isn’t synergised across all financial planning systems could result in significant risks to organisations and market functioning, from both a reputational and financial perspective. Case in point: 70% of financial institutions with less efficient processes cited missing out on business due to customers being flagged erroneously as a financial crime risk. Now’s the time to do an access audit and remediation. Then, put processes in place to monitor for changes and remediate faster in future along with regularly scheduled audits.
Securing these fragmented ecosystems
Additionally, as supporting a remote workforce continues for many banks across the region, it provides more opportunities for bad actors to operate and makes it more challenging for internal security teams to investigate insider threats and suspicious activities.
In fact, 45% APAC businesses experienced a breach or failed a compliance audit. This may be due to recent increased work-from-home measures as employees may use personal devices in place of company equipment which do not have the same security, significantly increasing the risks to sensitive business and financial data.
There’s an urgent need to secure your financial data—now more than ever. But those experienced with access rights management may have found the process isn’t as simple as doing a quick check on which users have access to data in the financial system, or asking a system administrator to run a report. Understanding who has access to the system where the data originates is a great place to start—it’s just not the whole story.
Determine the data structure and who can have access
The list of users who have access to financial data may include those who have access to create and view financial transactions, and those who create and view reports. But there’s more to think about, even in the scope of the financial system.
Some other questions to ask would be:
- Who has access to the application database?
- Who has access to database backups?
- Who has access to the machine(s) on which the system is running?
- Does the system have functionality to automatically export reports? If so, where are reports exported to?
- Who has access to the information within the application?
- Is that information integrated into any other applications? Who has access to it there?
- Does anyone have access to the file structures housing the data?
Group memberships should also be periodically reviewed to ensure users are regularly removed from groups when they change teams or their responsibilities adjusted. Now, the list of users includes application users, database administrators, system administrators, and those with access to the reports and the file shares.
Access control management is the key fob containing the passwords, tokens, keys, and certificates that come with privileged access, integrating access with identity management for each application an organisation adopts.
To meet the growing demands of banking customers for uninterrupted access to data and services, an overarching strategy encompassing regular auditing for both regulatory compliance and organisational security is necessary—or businesses could find themselves spending upwards of USD 19 million per year on reparations.
The future of banking and financial services
To minimise internal lapses, an access rights manager can help to not only quickly identify which users hold the keys to the data safes in the organisation, but also help IT departments improve compliance by detecting changes, understand and act on high-risk access, and find efficiencies and control costs amidst tightening budgets.
As the pandemic continues to supercharge the evolution of banking innovation, fintech, and accompanying regulations, the efficiency and security standards at which a financial institution conducts its management of financial data can become a defining factor of business success. A holistic approach to data and access control management is no longer a nice-to-have—but a must—for those who want to keep ahead in the rapidly changing economic landscape.
Chrystal Taylor is Head Geek at SolarWinds