Rising Data Carelessness

17 September 2020

Asset ManagementAsset ManagementAsset Management MOMBack OfficeCyberDataSecurityTrainingVulnerable

Rising Data Carelessness

Expert:         Ann Bevitt, Cooley
Facilitator:   David Masters & Danny Calogero, Lansons 

Key message

The cyber security threat to businesses and their data has increased dramatically since lockdown and the rise in employees working from home. The threat is constant; training employees is key to avoiding data breaches and becoming victims of cyber-crime. 

Headlines

  • There has been a marked increase in cyber-attacks on employees and surge in success of attacks. Mimecast found impersonation fraud jumped significantly during the first 100 days of lockdown
  • Providers and third parties in all forms are a source of risk and a potential route in for attackers
  • In the last month to six weeks data transfers has become a hot topic – especially in relation to the US
  • There is a trend of data localisation – companies tending to localise data within the EEA, which means they do not have to worry about data being transferred to the US 

Key themes

One of the key risks to data currently, and in the future of working from home, is the large number of confidential documents which people have been printing off at home and have no way to dispose securely.

There has been a significant uptick in the level of phishing emails. It incredibly easy for conners to copy email addresses and put together mock emails, especially for payment approvals. Delegates noted a quantum leap in this area.

Phishing attacks are not just instant – there are more sleeping, long term attacks are happening. These target not only employees but can also be aimed at suppliers and third party providers. Companies are only secure as their weakest link. Committing to regular training for employees (quarterly recommended) with the most realistic scenarios mimicked is one of the best ways to combat this.

Delegates discussed reviewing and changing third party cloud, security and software providers, asset management/data specialists are one option which delegates recommended as they understand the issues faced by asset management and advisory firms. Firewalls and dual authentication for invoice payments can help to reduce instances of fraud and data breaches.

Malware attacks come in in various forms and do not just target businesses, they are frequently targeted at personal email accounts such as fake emails from a child’s school. Training needs to be suitable for the audience, cyber attackers target people on their weakness so a continuous training exercise can help.

The issue of personal data storage and data transfer is an increasing risk within the asset management industry.

In the last month to eight weeks data transfers has become a really hot topic – especially to the US. In July the European Court of Justice ruled that US/EU data transfer with no extra measures is now invalid.

Brexit poses a slight challenge in terms of data protection - as member of the EU, EU rules and GDPR have previously been effective in UK. The UK data protection act consolidated this - when the transition agreement ends, the UK will have GDPR as it is under UK law to but it will require changes. UK GDPR will be implemented alongside old EU GDPR regulations.

As the use of cloud computing continues to increase there is a major issue in terms of where this data is stored. If it is in the US, companies can face significant fines. Businesses must question their cloud providers on where they are storing their data and whether they are transferring it abroad – particularly if it’s outside the EEA.

Ann urged delegates and their firms to check with their cloud provider what they are doing with data and in which jurisdiction it is being stored as this could have significant implications. Providers are experiencing and expecting further questions about where data is stored. One example is that EU firms might not want their data stored in the US until the EU/US have another agreement. Microsoft allow organisations to have a local cloud so data transfers are not taking place across jurisdictions.

In terms of annual due diligence, businesses should look at where the regulators are focussing and question providers on these topics. 

Conclusions

  • Cyber security presents a real risk for businesses, organisations need to actively engage with this risk which is constantly changing over time and becoming more sophisticated. The significant increase in working remotely in the last six months has helped spread of attacks.
  • Training is the answer- it must be regular, engaging, realistic, pertinent and use statistics to engage businesses and employees.
  • Data transfers will continue to be a hot topic. Businesses must question outsourced providers, and ask where they are storing data, the issue is not going away. Businesses must know where data is, is it allowed there, how is it being protected there. Ann recommends an audit and to follow what happening in data protection world.
  • Brexit is a live and ongoing issue, the problem is with the EU rather than UK, the UK agreed to have similar system to GDPR. A transfer of data from the UK to the EU is fine, but if you want to move data from the EU to the UK issues may arise as there is currently no agreement.

Top