See how Metomic helped a FinServ company reduce the impact of any future data breaches
Organisations operating in the financial services sector must be hyper-vigilant when it comes to protecting their customer data, to preserve trust and maintain compliance with strict industry standards.
At one such FinServ company, the Information Security Manager was seeking the easiest way to build an information security program that notified employees, and enabled them to understand that they were handling sensitive data, without going into stringent controls that locked down productivity.
A fast-growing scale-up, the business had expanded from 40 employees, to 500 within the space of two years. Due to the velocity of growth, there were immature data security processes in place, with employees working at a fast pace to ensure tasks were completed as efficiently as possible.
The team’s objective was to introduce a data security solution that caused minimal friction, whilst alerting employees to the Personally Identifiable Information (PII) they were handling in their SaaS applications.
‘I’m very aware of that ‘us versus them’ culture,’ the Information Security Manager explains, referencing the divide between security teams, and the wider workforce. ‘I wasn’t going to do things that way. Security is a business enabler, not a business enforcer, so making sure that people understand we are here to help is key.’
Ensuring that every individual within the business was aware of security issues became a vital factor in his strategy. His role was to educate the team on the sensitivity of the data they were handling on a daily basis, rather than making them feel as though they had made mistakes. ‘I’m here to explain why this is the way it is,’ he says.
When the team were considering data security tools to suit the organisation, their initial apprehensions were alleviated upon meeting the Metomic team. ‘One of our biggest concerns was giving upfront permissions to integrate with Google. The team at Metomic were willing to sit down with us, and help us understand exactly how it all worked, whereas other vendors did not.’
The Information Security Manager also appreciated that his team could take their time understanding the platform, configuring it to their needs, with a ‘crawl, walk, run approach,’ helping them to implement their own rules, such as revoking file permissions in Slack and Google Drive to limit access to critical assets.
While the first part of the rollout involved the security team receiving alerts on any data security violations, the second phase saw employees themselves receiving notifications so they could understand when violations were occuring and change their behaviours accordingly.
This slower, controlled implementation allowed the entire workforce to understand how Metomic worked, why it was being used, and how it benefited the business. With all communications flowing through Slack, this method of easing the team into receiving alerts themselves worked well, and helped to educate the workforce, establishing a more security-conscious culture.
The support of the Metomic team also proved invaluable, with the Information Security Manager enjoying the opportunity to give feedback, and communicate regularly with Metomic experts.
As mentioned previously, the immature processes in place were outdated, and not fit for purpose for a growing business.
Employees were sharing information with one another, without understanding best practices around data security. Metomic uncovered these processes for the FinServ company’s security team, bringing urgent issues to their attention. ‘At first it was a case of finding a document that wasn’t controlled properly,’ the Information Security Manager explains, ‘which we thought was a one-off.’
But the issue kept recurring.
As part of his investigation into the reasoning behind the documents’ existence, he began discussions with the authors. What he discovered was a gap in data security knowledge, with employees operating in the same way for years despite the company’s rapid growth.
‘The team had never been informed they could not use these processes until it entered my radar. Metomic helped highlight the issue, and then helped me put controls in place, to stop this happening in the future.’
Implementing Metomic has resulted in increased sensitivity to data handling across the entire workforce. Employees now respond promptly to alerts, contributing to a more security-aware culture: ‘Now when we get an alert notification, everyone thinks, ‘let’s call Infosec.’ It’s great to see that everybody has that reflex, thanks to a better understanding of how to behave with sensitive data.
‘Our Google Drive is in a much healthier state from a privacy and data protection standpoint. We’re at less risk of a data breach because of the Metomic detections we have in place.’