Case Study: Data Loss Prevention for the GDPR requirements of a Global Financial Institution in Switzerland
Case Study ADACOM
The client is one of UK’s leading Financial Institutions, with more than 4.755 branches in 55 countries in Europe, Asia, Africa and America and 1.600 branches in the UK. The company must be diligent in protecting against all kind of cyber-attacks that originate from both internal and external threats and offer data loss prevention.
ADACOM helped the Swiss entity of this Financial Institution, focusing on the operations of their Wealth Management services, where the reported client assets exceed €250 billion.
- The client’s primary concern was to be able to identify and protect Personally Identifiable Information (PII), i.e. data that could potentially identify a specific individual, including sensitive information such as biometric information, medical information, personally identifiable financial information and unique identifiers such as passport or Social Security numbers.
- The client needed verification and improvement of their current DLP deployment infrastructure, which involved defining the sequence of operations or steps that should be followed to deliver changes into the production system. The massive scale of the customer due to its extended presence worldwide required extreme capacity and expertise in order to meet this objective.
- Finally, the client expected best practices for processes like policy creation, policy handling incident remediation etc. from our experts.
Although the client had already undertaken an extended DLP program, there was not enough capacity or skillset to support these additional requirements, particularly the protection of PII that was re-introduced by the General Data Protection Regulation (GDPR).
The client’s expected outcomes was to stop the potentially (accidental or not) sensitive banking information across all channels: email, web, endpoint removable devices, print. fax etc. The client engaged ADACOM experts to assist, based on the extensive experience of our Team in large scale customers worldwide.
We approached these challenges using a well-defined methodology, in order to break down every objective in smaller part and create quick-wins to boost the client confidence. While focusing on the identification of personal data, because every organization stores and processes personal data in a unique way we had to think outside of the box and overcome multiple unexpected barriers.
We also engaged the client management team into creating a short/medium and long-term strategy, gathering feedback in every step of the process, while we performed extensive pilot and testing until reaching really confident results that could be enforced into the production environment as well.
Adacom eventually solved the client’s stated challenges and exceeded the initial objectives.
The main benefits for the client were:
- Reduction of risk exposure, especially in the context of PII/GDPR-related data,
- More efficient incident process, thus an increase of the client’s security posture
- Acquisition of a better and more efficient understanding of how to create “best in class” DLP program.