Financial institutions are increasingly under the regulatory microscope. The UAE has recently made substantial efforts to improve the way in which personal data is used, stored, secured and processed. With the introduction of the DIFC’s Data Protection Law, and industry-specific regulations such as the UAE Central Bank’s Financial Consumer Protection Regulatory Framework – which includes significant fines of up to AED100,000 and licence suspension for up to one year for non-compliance – businesses are compelled to do more to protect consumer data.
ALSO IN THE NEWS:Â Veritas upgrades ransomware protection for kubernetes and cloud environments
At the same time, the rise of online and mobile banking services has seen banks being entrusted with vast amounts of highly sensitive personal customer data – data which is growing at an exponential rate. Analysts predict the amount of data the world will be storing will grow from 33ZB in 2018 to 175ZB by 2025. As a result, banks and businesses have had to rapidly extend their IT infrastructures with complex combinations of cloud, virtual and on-premises infrastructures that can become increasingly fragmented and harder to manage. Recent Veritas research found that most businesses are struggling with this – just 36% of respondents in KSA and the UAE said that their security has kept pace with their IT complexity, highlighting that the majority are suffering from a transformation gap where their security measures lag behind their complex IT infrastructures. This means they have less visibility and control of their data than ever before.
If businesses continue on this trajectory, they risk leaving themselves exposed to a triple-threat of becoming victim to cybercrime, facing hefty fines for regulatory non-compliance and eroding consumer trust. The truth is, cybercriminals have already been taking advantage of this ‘gap’ – in the past year alone, the UAE recorded a staggering 250% increase in cyber-attacks.
A game of trust
When customers choose a bank to do business with, they hand over highly sensitive personal information which they expect to be treated with the utmost care and security. If this data falls into the wrong hands, it could damage livelihoods beyond repair. Ultimately, this whittles down to one word: trust. It’s a concept that the industry relies upon to attract and retain customers.
But building an industry on collecting and using highly sensitive customer data is a double-edged sword – while banks can take advantage of a vast pool of valuable customer data to offer personalised services and explore new revenue streams, it also makes them a very attractive target for cybercriminals.
In fact, nearly two thirds (63%) of businesses in the banking sector admitted to being victim of a ransomware attack at some point in their history. Despite the frequency of attacks, 46% have either never tested their disaster recovery plans in the event of a ransomware attack or have not tested it in over 90 days. In addition, research conducted by the Ponemon Institute reported that in the last year, the cost of all data breaches in KSA and the UAE increased by 9.4%. On average, these occurrences cost organisations in the region $6.53 million per breach, which is 70% more than the global average of $3.86 million. Notably, the average time it takes for organisations in KSA and the UAE to detect a data breach is 269 days, not including the 100 days it takes to contain the breach.
Taking back control
In a world where banks have had to rapidly accelerate their digital transformation plans and fundamentally shift the way in which they operate in the height of a global pandemic, how can they ensure their data protection strategies measure up?
Before simply jumping into any course of action, it’s essential to understand what data they have, its value, where it needs to sit, who should access it and how long it needs to be held for. This data visibility doesn’t need to just be a defence measure though; gaining a better understanding of the data they hold can help banks identify trends and insights that can enable them to offer better customer experiences or open doors to new revenue streams. Without a full view of this data, businesses are blind to their own potential.
Once they have visibility into their business-critical data, they need to ensure that business continuity and disaster recovery processes are optimised to protect it. In the event of a ransomware attack, an encrypted backup is the only line of defence.
One only needs to look at the recent high-profile attacks in the US to understand the true value of backing up data: Colonial Pipeline paid over $4 million in ransom but still had to rebuild their data from their backups because the hackers’ decryption process was so slow and unreliable. Meanwhile, meat processing company, JBS, previously thought that they could restore everything from their backups, but ended up paying $11 million in ransom for two databases that they reportedly could not restore without help. These databases, alone, were worth paying the ransom for. In both cases, the attacks on these companies were so far-reaching that they impacted the American economy and the day-to-day lives of Americans.
But it’s important to remember that there is no backup plan in place until it’s been tried and tested. Testing disaster recovery plans help reveal cracks and vulnerabilities that businesses otherwise would never have discovered. Are backups sufficiently isolated to avoid infection from spreading, are there enough copies of valuable data and are those copies being retained for long enough? Only regular fire drills and tests can answer these questions conclusively.
Whatever the future holds, banks are going to need to be ready to adapt again and again to keep pace. This means having the tools in place to abstract complexity from their IT environments, with robust disaster recovery plans in place to protect their most valuable digital assets. Despite their best efforts, most companies will fail to stop at least one cyberattack over the course of their lifetime. What distinguishes one victim from another is their ability to resist and bounce back. Data responsibility is the foundation of any organisation’s ransomware defence, while a comprehensive data protection platform is the secret weapon.Â
