CIS Controls Deep Dive #3 – Data Protection and Why It Matters (Especially in Finance)

Imagine this: It’s a typical Tuesday morning. You’re sipping your coffee, ready to dive into another day of helping your clients secure their financial futures. Then your phone rings. It’s your worst nightmare come true – there’s been a data breach. Suddenly, all those sensitive financial records, account details, and personal information you’ve been entrusted with are at risk.

For small businesses in the financial sector, this scenario isn’t just scary – it’s potentially catastrophic.

Continuing down our CIS Controls checklist, I’ll break down what CIS Control #3 means for you, why it’s crucial (especially in finance), and how you can implement it without breaking the bank or losing your mind.

What’s CIS Control 3 All About?

In simple terms, CIS Control 3 is all about protecting your data. For those of you in finance, this isn’t just good practice – it’s essential. Here’s what it boils down to:

1. Identifying your sensitive data (think client financial records, account details)
2. Knowing where this data lives in your systems
3. Controlling who can access it
4. Protecting it with strong security measures
5. Properly disposing of data when you no longer need it

Much like CIS Controls #1 and #2 which identify your hardware and software assets (can’t protect what you don’t know you have!), this control identifies sensitive data repositories so that you can take the steps to protect it.

Why It’s a Big Deal for Financial Firms

Let’s face it – in the financial world, data is your lifeblood. You’re not just handling numbers; you’re dealing with people’s life savings, retirement funds, and financial futures. A data breach for us isn’t just a headache; it could mean:

• Severe financial losses (and not just for your clients)
• Legal troubles that could sink a small firm
• A reputation hit that you might never recover from

For small financial firms, the stakes are even higher. Most don’t have the deep pockets of big corporations to weather a storm like this.

Making It Work in the Real World

I know what you’re thinking – “Sounds great, but how do I actually do this?” Don’t worry, I’ve got you covered. Here are some practical steps:

1. Develop an Implementation Gameplan: Work with your IT team to create a comprehensive strategy for implementing data controls. This roadmap should outline priorities, timelines, and responsibilities, ensuring a structured approach to enhancing your data security.
2. Data Inventory: Identify all the sensitive financial data you handle, where it lives, and who has access to it. Which brings us to…
3. Tight Access Control: Only let employees access the specific data they need for their job. In finance, this is crucial – not everyone needs to see everything.
4. Train Your Team: Your employees are your first line of defense. Make sure they understand the importance of protecting financial data and how to avoid social engineering and phishing attacks that could lead to a breach.
5. Stay on Your Toes: The financial world moves fast, and so do cyber threats. Regularly review and update your security measures.
6. Have a Backup Plan: Have a backup & disaster recovery plan to recover from a potential data breach or other data loss event. Create an incident response plan that will get you back up and running – hope for the best, but prepare for the worst.

The Cost of Saying “It Won’t Happen to Me”

I hate to be the bearer of bad news, but the numbers are scary, especially for financial firms:

• The average cost of a data breach for small businesses is nearly $3 million
• 60% of small businesses close within six months of a cyber attack

In the financial sector, where trust is everything, these numbers can be even more devastating. It might not happen to you…but if it does, how disastrous could it be to your organization?

Wrapping It Up

Implementing CIS Control 3 might seem daunting, but think of it as an investment in your firm’s future. You’re not just protecting data; you’re safeguarding your clients’ trust, your reputation, and ultimately, your business.

Start small if you need to, but start today. Your future self (and your clients) will thank you. Remember, in the world of finance, data protection isn’t just a best practice – it’s a necessity.

Have questions about implementing CIS Control 3 in your business? Drop a comment below or get in touch with any questions you might have.

You can read more about the CIS Security Controls framework at the Center for Internet Security website, and find all 18 controls listed here.

Stay safe out there, and keep that financial data locked down tight!

Michael @ MZ DATA
Long Beach, CA

Sign up for our newsletter for tech industry news and tips!