Receive Focus insights straight to your inbox
Facebook, Google, they’re all using it. Big data - taking extremely large data sets, analysing them with machine learning and data mining to reveal hidden patterns, trends and unknown correlations pertaining to human behaviours.
It’s an extremely powerful tool for companies to learn more about their customers and gain competitive advantage, but the downside is that storing so much personal data is a serious cybersecurity risk which is why we’re seeing new regulations like GDPR, PSD2 and POPIA springing up to protect peoples’ data.
In part two of the Investec Focus Radio podcast series on cybersecurity, Kevin Hogan, the Fraud Risk Manager of Private Banking at Investec, talks us through the new regulations and what businesses can do to safeguard their data.
LISTEN TO PODCAST
Cybersecurity for businessBig data, big risk
Big data in a banking context
“If you are not going to incorporate big data into your environment, you’re probably going to miss out on big opportunities, especially in the corporate world,” says Hogan.
In the banking context, big data can be used to help prevent fraud, explains Hogan. “Big data allows us to look for anomalies. So for example, if a client is using their credit card, we can track their normal spend patterns. Big data can then say to you, hang on a second, there’s an outlier here, something’s weird.
“That’s the power of big data, it allows you to see the bigger picture that you ordinarily would never see.”
What is GDPR, POPIA and PSD2?
The EU General Data Protection Regulation (GDPR) is focused on data privacy. “So GDPR really is around protecting data when someone gives you information, for example, you’re shopping online and you have to give your name, surname and your telephone number. What are you as an organisation doing to protect that data? How do you store that data? How long do you store that data for?”
There is a global move towards consumers taking back control of their data, and GDPR is one example says Hogan. “If you no longer want a company to have your data, do you have the right to ask them not to store your information? Do you want your data to be deleted? What can a company do you with your data?”
“If a company has a data breach there are very big fines linked to GDPR. I suppose it’s a big stick to force companies to look after people’s data.”
What are you as an organisation doing to protect that data? How do you store that data? How long do you store that data for?
In South Africa, this international trend has manifested in the Protection Of Personal Information Act (POPIA), which was signed into law in November 2013. The act is aimed at protecting peoples’ data and privacy to stop identity and money theft. It centres on how companies must handle personal information and gives power to the consumer to dictate how their data is used.
The Payment Services Directive (PSD2) is another set of European regulations to regulate payment services and payment service providers. “PSD2 is aimed at big corporates like ours. How do we comply with better security in data standards? So for example, PSD2 will mandate that second-factor authentication is compulsory[when logging on to your online banking app].
“Perhaps even take one step further to say that SMS is no longer really a secure way, now you need to use in-app messaging.” In this globalised world, there’s no doubt that this kind of legislation will soon reach SA shores and many companies, like Investec, are already implementing these new security measures.
What can you do to safeguard your customers’ data?
“It’s your data, and it’s your client’s data. There are certain minimum standards that companies have to comply to that is regulated by government,” says Hogan.
But this is not enough. Hogan believes that companies need to partner with their clients on data security. “Clients also house their own data and if they get breached, potentially it could have a knock-on effect on you,” explains Hogan, pointing to things like clients being careless with their passwords.
This partnership means companies must help educate their clients. “Tell them what’s out there and how they can best protect themselves, but also obviously internally you’ve got to continually evolve, keep your guard up.”
“I think if you feel that you’ve got it right, don’t rest on your laurels because the goalpost will move next year and the hackers will find another way to breach your environment and get in.”
As technologies like Artificial Intelligence grow in sophistication, so will cyber-attacks, making it inevitable that your company becomes a target at some stage in the future. “I think in the cyber circles, people realise that it’s not a case of “if” but “when” you get hacked. It’s really around having the correct systems and processes to detect it very early and to respond correctly and minimise the damage as much as possible.”
Cyber security is a human problem
When it comes to attacks on your company, your weakest point is your employees and the way hackers target them is through social engineering – the art of deceiving and manipulating people so they give up confidential information.
“To brute force your way into someone’s phone, onto their laptop, onto their network is very difficult. You have to be a very competent IT cyber attacker to be able to do that,” says Hogan.
“Most of the hackers in the streets are not these sophisticated, brilliantly intelligent guys. These are your mid-level guys. And the best way to get into people’s stuff and companies’ data, is through a human being.
“Human beings know what their usernames and passwords are, all you do is you trick them into giving that information away. Human beings like to click on stuff, so you send them something that’s appealing via email to click on so that they can download a piece of virus that will capture all your usernames and passwords as you type them in.”
Phishing for your information
Phishing emails are one of the most common social engineering tools. These vary from really bad, obviously fraudulent emails riddled with spelling errors and misinformation, to “very sophisticated phishing emails that look like they come from your company or a colleague with all the correct context, logos and everything. They’re extremely convincing,” explains Hogan. If you get one of these “official”-looking emails, the stats show there’s an 88% likelihood that you’ll respond to it.
These emails will try and trick you into clicking links, opening attachments, transferring money or giving away your username and password.
“Social engineering is the primary way that attackers are getting into people’s personal information, into their devices, into their organisations, and that’s why I say this is actually a people problem. If you can sort out the human being, you’ll probably solve 95% of the issue.
“Only 5% of hacks are where they don’t need you, they’re clever enough to just break through. But for most of us, it’s going through the human being and it’s recognising when are you being socially engineered.” And to safeguard your business from this threat, constant anti-fraud education is required, concludes Hogan.
About the author
Lead digital content producer
Ingrid Booth is a consumer magazine journalist who made the successful transition to corporate PR and back into digital publishing. As part of Investec's Brand Centre digital content team, her role entails coordinating and producing multi-media content from across the Group for Investec's publishing platform, Focus.