Data governance is relevant for every industry, but for several sectors, including financial services, deploying robust data protection and governance strategies is absolutely critical. The risks are higher, and it's not even about the data type; in finance, customer trust means everything.
When it comes to customer trust regarding data protection, the numbers are shocking. According to a recent McKinsey survey, no industry managed a trust rating of 50%.
The key lingering questions for the financial sector are:
* How do we protect all that data if we don't know what we need to protect?
* Where is the risk to business-critical data?
* How do we prevent data loss from inappropriate entitlements, permissions, sharing or unauthorized access?
Also critical for financial services organizations, in particular, is that they have not only their clients' data to secure, but their own intellectual property to protect. After all, their intellectual property is how they make money, and they will guard it with their lives.
For the financial industry, a company's IP is essentially its secret sauce. As such, they need an information walled garden around these critical pieces of data with the right sets of access policies and controls around it.
In this article, we'll explore a few specific use cases that underscore how crucial data protection and data governance are for the financial industry. Then, we'll explain some of the best strategies your organization can deploy for easy and effective data discovery, risk monitoring and remediation of business-critical data.
Three data governance use cases
When it comes to how data governance can turn into a nightmare for an organization, we have heard numerous stories from potential customers and current clients. Here are three that stand out, with the first two highlighting the importance of proper off-boarding procedures. The names have been changed to protect the innocent.
The CFO who still has access after leaving company
When an employee leaves an organization, far too often some of their access rights stay intact. When you think about it, this is not surprising given the sheer amount of confidential and private data financial organizations have to manage.
In one example, a CFO shared a significant amount of corporate data using her personal email address. One of the files happened to be a strategy document that was specifically created by the company's CEO.
What if that data fell into the wrong hands?
See also: Financial Well-Being: Everyone Wants It
Retired executive admin with access to the company's most confidential information
In another example, a company had an executive administrator who retired after many years with the organization. As an admin for many of the executives over the years, she had access to the most confidential data inside the entire company. She had access to many of the SharePoint sites within the corporate resources. Throughout her tenure, she shared many files with her personal account so she could work from home.
Even after retirement, she still had access to a vast number of files. Thankfully, in this case, the security team was able to vouch for her credibility, but the situation still impeded the company's security posture.
What if her personal account had been compromised?
IT staff with too much access to lending data
When you apply for a mortgage, you are providing perhaps the most personally identifiable information (PII) for any financial transaction in your lifetime. The mortgage industry in particular handles a lot of PII, including bank account numbers, statements, credit card numbers or statements, W-2s and much more.
In this example, a mortgage company had a mortgage application document full of client data that was somehow accessible by the IT staff. While loan officers and other parties with need-to-know access should be able to access customer applications, IT staff does not fall under that category.
In this case, the IT staff member noticed the overly permissive access and quickly initiated a sweeping change to their policies.
But what if the employee wasn't so honest?
Solving the data governance nightmare
How most companies approach data access
Too many organizations leave data governance to their end users. With this method, everyone in the company must ensure that the data they own has the correct entitlements, is shared appropriately and has the right sets of permissions (so they are accessible and accessed only by the right sets of personnel).
What are the chances of that working well?
Not good at all. Even if there are individuals who are motivated enough, most of the time they will not pay close attention. User errors on this front are the leading cause of data loss.
The proper approach to data governance
To help resolve the data security issues in the financial services industry, including in the above examples, you should seek out a data governance solution that can address three crucial steps.
Step 1: First, you'll need to identify exactly what type of data is accessible. Additionally, you should be able to scan all of your organization's data to provide a user-friendly type of dashboard that shows a proper risk chart.
Step 2: Second, your company should be able to ascertain the data type, who has access to it and whether it has the correct permissions and has been shared appropriately inside or outside the company. Discovery of the data type and risk profile are key here.
Step 3: And finally, more advanced solutions can even autonomously remediate the issues and programmatically remove any unauthorized access and prevent data loss.
Most data governance tools require companies to use regex parsing or pattern matching to discover sensitive data, placing a heavy burden on security teams to operationalize their data security programs. However, newer, best-of-breed solutions leverage AI models that have been built specifically to identify business critical data, classify and monitor risk, and remediate risk to sensitive data -- all without rules, regex or taxing end users. This allows enterprises to discover, monitor and protect their data without relying on large teams or burdening security teams with a lot of work to administer and derive value from their data security solutions. Even for financial organizations that still rely heavily on paper and pencil documents, these AI models use optical character recognition (OCR) to convert those scanned documents into words as if they are any other document.
In addition, modern solutions can also autonomously identify where business critical data may be at risk for financial organizations. Whether it's inappropriate sharing, wrong entitlements, unauthorized activity or wrong location, organizations are relieved of the burden of knowing what to look for or having to pre-define policies.
Modern AI-based data governance solutions allow financial firms to benefit from powerful deep learning technology that improves data access and activity governance by giving you an unparalleled contextual understanding of your structured and unstructured data, wherever it's stored. You'll be able to identify business-critical data, understand how it's used, identify any risks and mitigate them to prevent data loss and satisfy security and privacy mandates.
Ultimately, autonomous data governance is key to effective data security for financial services organizations.