Over the past few years, data breaches have increased in frequency and size, making the need to protect sensitive information a top priority for businesses worldwide. According to recent reports, there were 888 data breaches in the first half of 2015 alone, compromising 246 million data records of customers’ personal and financial information worldwide. Big names targeted and exposed in the last 12 months not only include TalkTalk and Carphone Warehouse, but also reputable financial institutions such as Morgan Stanley, Barclays Bank, Lloyds Bank and even the European Central Bank. 

The financial services industry accounts for almost 15% of all data records stolen, demonstrating that even big players with more money to invest in security are not necessarily better protected. Banks are vulnerable to cyber-attacks which can be damaging both to the institution’s reputation and bottom line, as well as to customers’ confidence in the entire financial sector. In fact, a recent survey shows that nearly two-thirds (64%) of consumers are unlikely to do business with an organisation that has experienced a breach where financial information was stolen. Against that backdrop, what can banks and other financial institutions do to protect themselves and guarantee the protection of the data they manage in 2016? 

Banks and other financial institutions often underestimate the magnitude of the risk to their business-critical data while it’s in transit across public or private data networks. It’s not simply systems and servers that are vulnerable to attack. Most banks today need to send and receive data across both internal and external networks, so that it carries its own degree of risk exposure. From the moment data is in motion, organisations are no longer in control.  

In this context, financial institutions should assume that traditional prevention and threat detection tools can only go so far, and should be used as part of a layered approach to data security that can defend data once criminals get into the network. Instead, banks can move to a framework that is centred on the data itself, and provides protection that stays with it, no matter where it is being sent. 

One way to achieve this is with encryption, which enables banks to maintain control of their data, even when it is deployed in the cloud or in their data centre. The only way that banks can maintain business and customer trust in their brand is by encrypting all of their financial and customer information, both in storage and in transit. 

In addition, financial institutions should implement multi-factor authentication- a security system which requires more than one method of verification of a user’s identity in order to allow access to data- as well as the use of hardware security modules (HSMs), a type of electronic safe used by some of the most security-conscious organisations in the world to store their cryptographic keys, securely managing, processing, and storing them inside a hardened, tamper-resistant device.  

With threats changing daily, meeting the minimum legal requirements is no longer enough. In 2016,

financial institutions will need to be continually vigilant and take a multi-layered, dynamic approach to data security which will allow them to be safe in the knowledge that their data is protected, whether or not a breach occurs. Next year, only banks that adopt a 'secure breach' approach, consisting of a combination of strong authentication, data encryption and key management, will be able to be confident that data is useless should it fall into unauthorised hands.