In last month’s Information Security Forum, CEO Steve Durbin called for changing employees’ behaviour with regards to security and data privacy as a way to reduce business risk. His argument resonates strongly with the financial services world where there’s ever-increasing pressure to apply tougher governance and more thorough risk mitigation.

There’s a fundamental tension for financial services organisations between being open businesses that serve their customers’ needs anytime, anywhere via any channel, and at the same time enforcing data security requirements to the highest standards.

The pressure to reconcile these divergent forces is complicated by a new wave of Millennial employees entering the workforce. These digitally savvy youngsters, who were born just before and after 2000 and have grown up with technology, have an outlook and set of behaviours that are quite different to any generation before that. A growing number of independent studies suggest that these new employees, who will be vital to how financial services organisations become more digital in their customer and business processes, could pose a challenge for CISOs and their teams working on data protection and compliance.

For example, a recent study from KPMG revealed that tech-savvy youngsters pose one of the greatest threats to enterprise security, resulting in an almost threefold increase (285%) in fraud cases involving defendants aged between 26 and 35. While this data doesn’t speak for the majority of young employees, it does indicate that Millenials’ attitudes towards privacy and data sharing may pose security risk for organisations. 

Our own research adds some weight to this argument. When polling UK professionals who have access to customer data regarding their attitudes towards data privacy, younger respondents were almost twice more likely to have poorer data privacy habits than their older counterparts. For example, 30% of the 18-24 years old respondents admitted that they would snoop on sensitive customer data at work compared to only 12% of the 45-54 years old employees.

This is in no way a crisis, but to address these challenges, there needs to be a shift in how information security is being talked about and enforced within organisations. Embedding good data protection practices needs to come from the top and permeate the work ethics of all employees. But how can financial organisations make this happen?

One way to achieve that is by building effective security policies and training programmes to ensure all employees have a good knowledge of data privacy practices and security standards.

But it’s one thing to be aware of such policies and another to adhere to them. This is why developing robust mechanisms for security policy enforcement is also essential for mitigating risk. This enforcement should be non-intrusive and should work in a way that actually fosters data sharing and collaboration within the organisation, while maintaining compliance with existing regulatory requirements and internal security policies.

This could be achieved by automatically provisioning and revoking access rights to joiners, leavers and movers within the organisation and continuously monitoring how this access is being used to handle sensitive data. By analysing access risk data in real-time, financial organisations will be able to get a clear view into how data is being accessed and shared within the organisation and spot suspicious behaviours as soon as they have occurred.

While there is no way to guarantee a security breach will never happen, there are effective ways to ensure that suspicious activities can be spotted as soon as they occur, enabling organisations to mitigate security risk and minimise the impact of data breaches.  For example, leading identity and access intelligence solutions offer an ability to continuously monitor user access, as well as forensics capabilities, where access usage patterns can be compared over time for the same user or against others in similar roles so anomalies can be identified.

And if we use intelligent access risk and management technologies to support the fostering of positive security cultures within our organisations, we will both harness the digital talents of new workers and contribute to the building of greater customer trust and faith in retail banking.