How data breaches can trigger a massive client exodus for banks

From breaking trust to breaking banks, digital attacks are becoming more powerful than ever.

When it comes to customer retention, data attacks could possibly be the worst nightmare for any company. Thousands of clients around the globe have already left compromised banks for those with a cleaner track record. In fact, seven in ten customers will not think twice to leave their bank once a data breach occurs, making customer loyalty one of the major casualties of a brittle digital backbone. Almost 90% of organisations globally have revealed being affected by new DDoS-enabled breaches.

Due to the presence of the five largest banks in the world as well as the highest penetration rates for mobile banking and mobile payments, Asia remains the most vulnerable to security attacks. Add to this reputation the region’s feeble policy-making, weak regulatory environments, and subpar enforcement, and it becomes a haven for notorious cybercriminals.

In general, financial institutions, wherever they are located, have it worse when it comes to data breaches. According to the 2017 Cost of Data Breach Study by Ponemon Insitute LLC and IBM Security, financial institutions incur an estimated $245 per stolen record, way above the global average of $141.

Tim Liu, chief technology officer, Hillstone Networks said that customers have a long-held assumption that their money is protected from robbery or theft in financial institutions. Given head-to-head competition in the banking industry, it is not a difficult matter for customers to find the latest digital solution and switch firms. Liu said that as customers have stayed away from scandal-plagued firms in the past, so will they avoid those with security breaches in the present.

“Considering the high profile cyber breaches in 2017, such as WannaCry and Petya Ransomware attacks, businesses and consumers are more aware of the levels of disruption and problems that cyberattacks can cause. This places an increasing pressure for companies to ensure that the data is well protected, especially given the increasing data volume and value of personal information,” said Sanjay Rohatgi, senior vice president, Asia Pacific, Symantec.

What’s at stake?
Whilst data leaks at corporations and government agencies sound devastating, security breaches in financial institutions prove to be more disastrous. According to Liu, the proximity to customers’ financial assets means that direct monetary loss is a huge possibility. IBM Security and Ponemon Institute estimated that the global average cost of a data breach in 2017 is at $3.62m, more for a financial institution.

To calculate the cost, IBM and Ponemon collected both the firm’s direct and indirect expenses, such as engaging forensic experts, outsourcing hotline support, and providing free credit monitoring subscriptions and discounts for future products and services. On the other hand, indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.

However, companies with money to burn should realise that immediate financial losses are small compared to the damage inflicted on a brand and its customers’ trust. For instance, Gemalto’s Data Breaches and Customer Loyalty 2017 Survey reports that almost half (49%) of consumers worldwide would unlikely do business with a firm that had experienced a data breach involving the loss of personal information.

Mohan Veloo, chief technology officer, Asia Pacific, F5 Networks, said that this should not come as a surprise considering recent news that revealed a 41-gigabyte file of usernames and passwords in the Dark Web. Hackers are getting sneakier by the day, and are finding more ways to extract information to suit their needs.

"Globally a total of 1.1 billion identities have been exposed in data breaches in 2016, almost twice the amount observed in 2015. This places an increasing pressure for companies to ensure that the data is well protected, especially given the increasing data volume and value of personal information,” Rohatgi said.

Basic hygiene
According to Nilesh Mistry, head of Asia Pacific & vice president, World Wide Technology, Inc., even organisations with hefty cybersecurity budgets and mature risk management, governance, and privacy programs are affected. It is thus important for organisations to clearly understand their legal obligations, particularly in preparation for compliance with standards, frameworks, and regulations.

Robin Schmitt, general manager, Asia-Pacific at Neustar, said that the fear of reputational damage and loss of customer trust are the key drivers behind the increase in DDoS defense investments in the region. Two in ten respondents to Neustar’s survey, strengthened their DDoS defenses to preserve customer loyalty and confidence.

“To ensure adequate measures some basic questions need to be addressed. For example, are youconfident that you have an adequate inventory of all your assets? Do you have visibility across those assets? Can you detect unauthorised activity, and if so, can you detect an adversary that is already embedded in your network? These questions may seem simple, but many FI’s struggle with some of these basics,” Mistry added.

More than the obvious needs to update capacity in terms of machine learning and artificial intelligence, firms must go back to the basic security hygiene. Mistry said that firms must cover all bases and encompass how server, end-user computing, networking and software development teams use outsourced infrastructure in the form of SaaS, PaaS, and IaaS, amongst others. He added that organisations need to consider segmenting their enterprise in order to help prevent the hacker from moving deeper inside and moving laterally.

Jeffrey Kok, technical director, Asia Pacific, CyberArk said that as notification legislation becomes more common around the world, banks are driven to disclose the full facts of a data compromise to their customers as soon as the information is available. Banks need to remind themselves that the customer always has a right to know the firm’s situation, even if the company’s reputation seems to be on the line. Kok added that transparency is now not only a legal requirement, but a moral one.

Customers security
Despite the clamour for tighter data security measures across the region, analysts show that consumers are also partly to blame for the demise of customer loyalty. Gemalto’s Data Breaches and Customer Loyalty 2017 Survey reports that two in five consumers do not take advantage of robust solutions available such as two-factor authentication, an added layer of security that notifies users whenever their accounts are logged in on devices. Also, half of consumers continue to use the same password for multiple accounts, a big no-no in terms of personal cybersecurity.

According to Veloo, customers can take a few steps to ensure basic security hygiene: mindfulness in installing apps, choosing a strong password, ensuring auto-updates, and encryption. They must be aware that a single rogue app can do significant damage, and that a passphrase consisting of random words will be more difficult to decode than passwords such as qwertyuiop123.

Rohatgi noted, “Security technology may be able to secure our networks and endpoints, but none of these are effective against human errors. Cybercriminals are aware of these and seek to exploit what they perceive to be the weakest link in the chain – humans. Cyber security needs to be a conscious effort by all parties and requires good digital hygiene on the part of everyone; both at home, and in the office.”

Lastly, Rohatgi emphasised that employees should also secure their accounts, not just the customers. He said that it is important for employees to remain vigilant on a personal level by updating regularly; subscribing to manufacturers’ mailing lists to be altered of important security updates; installing security software on their PCs to ensure that their IoT devices are not being controlled by others; avoiding opening emails from unknown senders; and looking for the padlock and checking the SSL certificate on any sites where they enter sensitive data.