Receive Focus insights straight to your inbox
It’s an extremely powerful tool for companies to learn more about their customers and gain competitive advantage, but the downside is that storing so much personal data is a serious cybersecurity risk which is why we’re seeing new regulations like GDPR, PSD2 and POPIA springing up to protect peoples’ data.
In part two of the Investec Focus Radio podcast series on cybersecurity, Kevin Hogan, the Fraud Risk Manager of Private Banking at Investec, talks us through the new regulations and what businesses can do to safeguard their data.
LISTEN TO PART ONE OF THE PODCAST: Data security: do you have weak locks on your digital assets?
LISTEN TO PODCAST
Cybersecurity for business
Big data in a banking context
In the banking context, big data can be used to help prevent fraud, explains Hogan. “Big data allows us to look for anomalies. So for example, if a client is using their credit card, we can track their normal spend patterns. Big data can then say to you, hang on a second, there’s an outlier here, something’s weird.
“That’s the power of big data, it allows you to see the bigger picture that you ordinarily would never see.”
What is GDPR, POPIA and PSD2?
There is a global move towards consumers taking back control of their data, and GDPR is one example says Hogan. “If you no longer want a company to have your data, do you have the right to ask them not to store your information? Do you want your data to be deleted? What can a company do you with your data?”
“If a company has a data breach there are very big fines linked to GDPR. I suppose it’s a big stick to force companies to look after people’s data.”
What are you as an organisation doing to protect that data? How do you store that data? How long do you store that data for?In South Africa, this international trend has manifested in the Protection Of Personal Information Act (POPIA), which was signed into law in November 2013. The act is aimed at protecting peoples’ data and privacy to stop identity and money theft. It centres on how companies must handle personal information and gives power to the consumer to dictate how their data is used.
The Payment Services Directive (PSD2) is another set of European regulations to regulate payment services and payment service providers. “PSD2 is aimed at big corporates like ours. How do we comply with better security in data standards? So for example, PSD2 will mandate that second-factor authentication is compulsory[when logging on to your online banking app].
“Perhaps even take one step further to say that SMS is no longer really a secure way, now you need to use in-app messaging.” In this globalised world, there’s no doubt that this kind of legislation will soon reach SA shores and many companies, like Investec, are already implementing these new security measures.
What can you do to safeguard your customers’ data?
But this is not enough. Hogan believes that companies need to partner with their clients on data security. “Clients also house their own data and if they get breached, potentially it could have a knock-on effect on you,” explains Hogan, pointing to things like clients being careless with their passwords.
This partnership means companies must help educate their clients. “Tell them what’s out there and how they can best protect themselves, but also obviously internally you’ve got to continually evolve, keep your guard up.”
“I think if you feel that you’ve got it right, don’t rest on your laurels because the goalpost will move next year and the hackers will find another way to breach your environment and get in.”
As technologies like Artificial Intelligence grow in sophistication, so will cyber-attacks, making it inevitable that your company becomes a target at some stage in the future. “I think in the cyber circles, people realise that it’s not a case of “if” but “when” you get hacked. It’s really around having the correct systems and processes to detect it very early and to respond correctly and minimise the damage as much as possible.”
READ MORE: Three futuristic cybercrimes that could happen tomorrow
Cyber security is a human problem
“To brute force your way into someone’s phone, onto their laptop, onto their network is very difficult. You have to be a very competent IT cyber attacker to be able to do that,” says Hogan.
“Most of the hackers in the streets are not these sophisticated, brilliantly intelligent guys. These are your mid-level guys. And the best way to get into people’s stuff and companies’ data, is through a human being.
“Human beings know what their usernames and passwords are, all you do is you trick them into giving that information away. Human beings like to click on stuff, so you send them something that’s appealing via email to click on so that they can download a piece of virus that will capture all your usernames and passwords as you type them in.”
READ MORE: Seven ways to create strong, secure passwords for your accounts
Phishing for your information
These emails will try and trick you into clicking links, opening attachments, transferring money or giving away your username and password.
“Social engineering is the primary way that attackers are getting into people’s personal information, into their devices, into their organisations, and that’s why I say this is actually a people problem. If you can sort out the human being, you’ll probably solve 95% of the issue.
“Only 5% of hacks are where they don’t need you, they’re clever enough to just break through. But for most of us, it’s going through the human being and it’s recognising when are you being socially engineered.” And to safeguard your business from this threat, constant anti-fraud education is required, concludes Hogan.
About the author
Lead digital content producer
Ingrid Booth is a consumer magazine journalist who made the successful transition to corporate PR and back into digital publishing. As part of Investec's Brand Centre digital content team, her role entails coordinating and producing multi-media content from across the Group for Investec's publishing platform, Focus.