The Billion-Dollar Question: Are Financial Institutions Safe from Their Own Secrets?

The average cost of a data breach in the US financial services sector reached USD 6.08 million in 2024, according to the IBM Cost of a Data Breach Report 2024. That is 22% above the global average across all industries, and it does not account for regulatory fines, reputational losses, or the operational disruption that follows a major credential compromise. Breaches involving stolen or compromised credentials took an average of 292 days to identify and contain. Nearly ten months of unauthorized access. In financial services, that is enough time for an attacker to map your entire infrastructure, exfiltrate cardholder data, manipulate transaction systems, and cover their tracks.

The credential problem is structural. Banks and financial institutions rely on tens of thousands of secrets: API keys connecting payment gateways, database credentials for core banking systems, encryption keys protecting customer records, tokens authenticating automated trading workflows, and certificates securing SWIFT network connections. Each one is a potential entry point. Secrets management is no longer a back-office IT concern; it is a front-line business risk with direct consequences for compliance, fraud exposure, and operational continuity.

This guide covers what financial institution security means in practice, why credential-based threats are the dominant risk vector for banks, and how a structured approach to secrets and non-human identity (NHI) management addresses the compliance, fraud prevention, and multi-cloud security challenges that US financial regulators are increasingly scrutinizing.

Key Takeaways • The average financial sector breach costs USD 6.08 million, with credential-based breaches taking 292 days on average to identify and contain. (IBM Cost of a Data Breach 2024) • Stolen credentials were the initial attack vector in 24% of all breaches analyzed in the 2024 Verizon DBIR, and have appeared in roughly one-third of all breaches over the past decade. • US financial regulators (OCC, FDIC, Federal Reserve, NY DFS, FFIEC) are increasing scrutiny of secrets and credential management practices as part of broader cybersecurity examination frameworks. • Key US frameworks imposing credential management requirements include GLBA Safeguards Rule, SOX IT General Controls, NY DFS Part 500, FFIEC Authentication Guidance, PCI DSS v4.0, and NIST CSF 2.0. • Dynamic, just-in-time credentials eliminate the persistent access windows that attackers exploit; automated rotation removes the human error that manual processes introduce. • Akeyless provides zero-knowledge encryption (no single entity, including Akeyless itself, can decrypt stored secrets), FIPS 140-2 compliant key management, and SOC 2 Type II audit trails for regulated financial environments.

What is Financial Institution Security?

Financial institution security encompasses the people, processes, and technologies that protect banks, credit unions, insurance companies, asset managers, and payment processors from threats to their data, systems, customer accounts, and operational continuity.

US financial institutions are uniquely high-value targets for several reasons. They hold real-time payment infrastructure, including ACH processing, FedNow instant payments, and SWIFT network connections, that can be directly monetized by attackers. They store personally identifiable information for millions of customers, which commands premium prices on criminal marketplaces. And they operate under a dense regulatory environment that makes the consequences of a breach extend far beyond the immediate technical incident.

The relevant US regulatory landscape for financial institution security includes:

• NIST CSF 2.0: The National Institute of Standards and Technology Cybersecurity Framework, updated in 2024, provides the Govern, Identify, Protect, Detect, Respond, and Recover structure that US federal agencies and financial regulators increasingly reference as a baseline expectation.
• GLBA (Gramm-Leach-Bliley Act): The FTC Safeguards Rule under GLBA requires financial institutions to implement access controls, encrypt customer financial data, and maintain audit logs for systems storing nonpublic personal information.
• SOX (Sarbanes-Oxley Act): IT General Controls under SOX require privileged access management, segregation of duties, and audit trails for systems that feed financial reporting. Secrets and credentials providing access to financial reporting systems fall directly within SOX scope.
• NY DFS Part 500: New York’s Department of Financial Services cybersecurity regulation mandates MFA, encryption, annual penetration testing, and a Chief Information Security Officer for all NY-licensed financial entities. Amendments effective in 2023 and 2024 added specific requirements around privileged access management and vulnerability management.
• FFIEC Authentication Guidance: The Federal Financial Institutions Examination Council guidance establishes MFA as the baseline requirement for online banking systems and specifically addresses credential risk management for customer-facing and internal systems.
• PCI DSS v4.0: Requirement 8 (Identify Users and Authenticate Access) and Requirement 10 (Log and Monitor All Access) impose detailed controls on credential management, including requirements on password complexity, multi-factor authentication, and access logging that apply directly to payment card system environments.
• CISA Financial Services Guidance: The Cybersecurity and Infrastructure Security Agency publishes Cybersecurity Performance Goals for the financial services sector as part of its Critical Infrastructure Security and Resilience mandate, including specific controls on credential hygiene and access management.

USD 6.08 million: the average cost of a financial sector data breach in 2024. Credential-based breaches took 292 days on average to identify and contain.IBM Cost of a Data Breach Report 2024

Why Banking and Finance Institutions Can’t Afford to Ignore Secrets Management

Secrets refer to the credentials, API keys, database passwords, encryption keys, certificates, and tokens that grant access to sensitive banking systems and applications. They authenticate machine identities, the non-human identities (NHIs) of applications, scripts, automated processes, and workloads that communicate across banking infrastructure around the clock. Without proper management, these secrets and identities become the most reliably exploitable entry point in a financial institution’s attack surface.

The data on credential-based attacks in financial services is unambiguous. The Verizon 2024 Data Breach Investigations Report found that stolen credentials were the most common initial attack vector in financial and insurance sector breaches, appearing in roughly one-third of all breaches analyzed over the past decade. The IBM research found that breaches originating from stolen credentials take longer to detect than any other attack type: nearly ten months on average. In a live banking environment, ten months of undetected credential access is a catastrophic exposure window.

Financial sector incidents that trace directly to credential and secrets mismanagement include:

• SWIFT credential attacks: The 2016 Bangladesh Bank heist, in which attackers compromised SWIFT network credentials to initiate fraudulent transfer requests totaling USD 81 million, demonstrated that credential exposure in payment messaging infrastructure can translate directly into nine-figure losses.
• Hardcoded banking API keys: In 2023, an unsecured banking API key exposed on a public GitHub repository allowed attackers to perform unauthorized financial transactions before the exposure was discovered. The key had been hardcoded by a developer who had since left the organization.
• Supply chain credential compromise: Third-party fintech integrations, payment processing partners, and cloud service dependencies each represent a credential supply chain risk. A credential exposed in a partner’s environment can provide lateral access to the financial institution’s own systems.

These are not edge cases. They are the predictable consequence of treating credentials as static artifacts to be stored rather than as dynamic, lifecycle-managed identity tokens to be issued, rotated, and revoked with the same rigor applied to human user accounts.

1. Compliance: Avoid Regulatory Fines and Ensure Risk Governance

Financial institutions operate in the most heavily regulated industry in the US. Failing to protect sensitive credentials generates not only technical security failures but direct regulatory liability under multiple overlapping frameworks.

How Secrets Management Helps with Compliance

A centralised secrets management platform provides the technical controls that map directly to each regulatory requirement:

• GLBA Safeguards Rule (FTC/OCC): Requires access controls and encryption for customer financial data. Secrets management enforces encryption at rest and in transit for all credentials, provides role-based access control to limit who can read or write secrets, and generates audit logs that demonstrate control over nonpublic personal information systems.
• SOX IT General Controls: Privileged access management and segregation of duties are core SOX IT control requirements. Secrets management enforces the principle that only the specific service or user account requiring a credential receives access, and that access is logged and attributable. Automated rotation ensures that privileged credentials are not left persistent across audit periods.
• NY DFS Part 500: Mandatory MFA, encryption, and privileged access management for NY-licensed entities. Secrets management platforms deliver all three: MFA-gated access to the vault, AES-256 encryption of stored secrets, and granular access policies that limit privileged credential access to authorised identities.
• FFIEC Authentication Guidance: MFA as a baseline for online banking systems. Secrets management enforces authenticated access to credentials used in banking systems, ensuring that automated processes cannot retrieve secrets without verified identity and appropriate authorisation.
• PCI DSS v4.0 Requirements 8 and 10: Access control, credential management, and comprehensive logging for cardholder data environments. Secrets management automatically rotates credentials on schedule or by event trigger, provides immutable access logs, and integrates with SIEM platforms to deliver the monitoring record that PCI DSS Requirement 10 requires.
• NIST CSF 2.0: The Protect and Detect functions of NIST CSF 2.0 map directly to secrets management capabilities: access control (PR.AC), data security (PR.DS), and anomaly detection (DE.CM) are all supported by a centralised secrets management platform with monitoring and alerting.
• CISA Cybersecurity Performance Goals: CISA’s CPGs for the financial sector include specific goals around credential management and privileged access, including requirements for phishing-resistant MFA and credential rotation policies. Automated rotation and JIT credential issuance directly satisfy these goals.

Centralised audit logging from a single secrets management platform satisfies audit evidence requirements across all of these frameworks simultaneously, rather than requiring separate logging implementations per system.

2. Fraud Prevention: Stop Insider Threats and Credential-Based Attacks

Financial institutions are prime targets for credential-based fraud because the payoff from a successful credential compromise is often direct and immediate: unauthorized payment initiation, account takeover, or extraction of transaction data with immediate monetization potential.

Common Attack Vectors Targeting Financial Institutions

• Credential stuffing: Attackers use breached credential databases, available for as little as USD 10 per thousand records on criminal marketplaces, to attempt automated login against banking portals, API endpoints, and internal systems. Reused credentials, both human and non-human, make this attack reliably effective at scale.
• Insider threats and privileged misuse: Employees or contractors with access to privileged credentials can extract funds, exfiltrate customer data, or sabotage systems. Static, persistent credentials without usage monitoring create the conditions for insider abuse to go undetected across extended periods.
• API key leaks in payment systems: Payment gateway credentials, embedded in application code, mobile apps, or third-party integrations, provide direct access to initiate or query financial transactions. Exposed API keys in payment rails are among the highest-value targets for financially motivated attackers.
• SWIFT network credential attacks: Credentials providing access to SWIFT network interfaces represent the most consequential single point of credential failure in international banking. Attackers who obtain SWIFT operator credentials can initiate fraudulent transfer messages that move through the international payment system before the fraud is detected.
• Supply chain compromise: Third-party integrations with weak credential hygiene expose banking infrastructure through partner access. A credential exposed in a fintech vendor’s environment that also has access to a bank’s systems provides lateral movement across the trust boundary.

How Secrets Management Prevents Financial Fraud

• Dynamic secrets eliminate persistent credential windows: Just-in-time credentials generated for a specific transaction or session and expired immediately afterward cannot be reused in a credential stuffing or stolen credential attack. There is no long-lived API key to steal because there is no long-lived API key.
• Automated rotation removes human error: Credentials for payment gateways, database systems, and internal APIs are rotated on schedule or triggered by an event (detected anomaly, personnel change, compliance review) without manual intervention. The rotation happens whether or not a human administrator remembers to initiate it.
• Granular access control limits blast radius: RBAC policies ensure that a credential compromise in one system does not grant lateral access to unrelated systems. The fraud team’s access to fraud analytics credentials does not extend to trading system credentials.
• Audit trails enable rapid forensic investigation: Every credential access event is logged with timestamp, requesting identity, and outcome. When a suspicious transaction is detected, security teams can trace the credential access chain within minutes rather than days, dramatically reducing the dwell time that allows fraud to compound.

3. Multi-Cloud Security: Protecting Digital Banking at Scale

US banks and financial institutions are running hybrid and multi-cloud architectures that span AWS GovCloud, Azure, GCP, and on-premises data centers simultaneously. Each cloud environment has its own identity and access management system, its own secret storage mechanisms, and its own audit logging format. Managing credentials consistently across this fragmented landscape is one of the primary operational security challenges in modern banking infrastructure.

Challenges of Multi-Cloud Security in Financial Services

• Secrets sprawl across cloud environments: Credentials created in one environment (for example, an AWS IAM key created for a development workload) propagate into staging and production environments, or persist long after the original use case is retired. Without centralised visibility, security teams cannot inventory what credentials exist, where they are used, or whether they are still necessary.
• Inconsistent IAM policies across regions and clouds: An IAM policy that enforces least privilege in AWS may not have an equivalent control in Azure or GCP. Credentials that are properly scoped in one environment may carry excessive permissions in another. Cross-cloud credential governance requires a control plane that spans all environments.
• Secrets drift between dev, staging, and production: Credentials intended for non-production environments are frequently reused in production, either deliberately (to simplify configuration management) or accidentally (through misconfigured CI/CD pipelines). The FFIEC guidance on cloud risk management specifically addresses the requirement for financial institutions to maintain environment separation and credential isolation across cloud deployments.
• Third-party fintech risk: API tokens and encryption keys used in fintech partnerships must be managed with the same rigour as internal credentials. A key shared with a third-party partner for a specific integration should be scoped to that integration, rotated on the partner’s access cycle, and revoked immediately when the partnership ends.

How Secrets Management Solves Multi-Cloud Banking Challenges

• Single control plane for all environments: A centralised secrets management platform provides a unified interface for creating, storing, rotating, and auditing credentials across AWS, Azure, GCP, and on-premises systems, regardless of where a specific secret is consumed. Security teams maintain a single inventory and a single audit log.
• Consistent access policy enforcement: Policies defined centrally apply consistently regardless of which cloud environment is requesting a credential. A least-privilege policy defined once for a specific workload applies whether that workload runs in AWS us-east-1 or Azure West Europe.
• Automated environment isolation: Credentials for development, staging, and production environments are managed as distinct objects with separate access policies, preventing accidental or deliberate reuse across environment boundaries.
• Akeyless SaaS architecture for global banking: Akeyless’s SaaS delivery model means no infrastructure to operate or maintain across cloud environments. The platform connects to AWS, Azure, and GCP natively, and is available across global regions, supporting the geographic distribution requirements of international banking operations.

40% of breaches in 2024 involved data stored across multiple environments (public cloud, private cloud, and on-premises). Multi-environment breaches cost over USD 5 million on average.IBM Cost of a Data Breach Report 2024

Best Practices for Securing Financial Institution Data

The following checklist addresses the highest-impact controls for US financial institutions, mapped to the regulatory frameworks that govern their implementation. Each practice is actionable and aligns with one or more of GLBA, SOX, NY DFS Part 500, PCI DSS v4.0, and NIST CSF 2.0.

1. Implement zero-trust access for all credential requests: No system or user receives standing access to sensitive credentials. Every credential request is authenticated, authorised against a defined policy, and logged. This aligns with NIST SP 800-207 (Zero Trust Architecture) and is increasingly referenced by OCC and FDIC examiners as a baseline expectation for bank technology controls.
2. Replace static credentials with just-in-time access: Credentials for database access, payment gateway integration, and cloud infrastructure are issued dynamically at the moment of need and expire automatically after use. JIT access directly addresses the 292-day average dwell time for credential-based breaches by shrinking the window of validity for any single credential to minutes or hours.
3. Automate credential rotation on a defined schedule and by event trigger: NY DFS Part 500 and GLBA Safeguards Rule both impose requirements on credential rotation policies. Automated rotation, triggered on a schedule (30 to 90 days depending on credential sensitivity) and by events (personnel changes, anomaly detection, penetration test findings), ensures compliance without the delays inherent in manual processes.
4. Encrypt all credentials at rest and in transit with current standards: AES-256 for data at rest and TLS 1.3 for data in transit are the current industry standards, referenced in PCI DSS v4.0 and NY DFS Part 500. Secrets management platforms that apply these standards uniformly across all stored credentials provide a consistent encryption posture that satisfies multiple regulatory requirements simultaneously.
5. Centralise audit logging and integrate with SIEM: SOX IT General Controls and PCI DSS Requirement 10 require comprehensive access logs for systems in scope. A centralised secrets management platform that exports credential access events to a SIEM platform (Splunk, Datadog, IBM QRadar) provides the correlatable, queryable audit trail that financial regulators and external auditors require.
6. Implement supply chain credential controls: Executive Order 14028 on Improving the Nation’s Cybersecurity and the CISA Secure Software Development Framework both impose requirements on supply chain security that apply to financial institutions using third-party software and integrations. Each third-party integration should use a unique, scoped credential with defined access boundaries and a documented revocation process.
7. Scan continuously for exposed credentials: Secrets scanning on every code commit, in CI/CD pipelines, in Docker image layers, and across collaboration tools catches credentials before they reach production. The CISA Known Exploited Vulnerabilities (KEV) catalog identifies vulnerabilities actively exploited in the wild; financial institutions should prioritise patching systems referenced in the KEV catalog as a complement to credential hygiene controls.

How to Secure Financial Transactions with Secrets Management

Financial transactions in the US move across multiple payment rails, each with its own credential and authentication requirements. Securing the credentials that enable these transactions requires understanding the specific risk profile of each rail.

• SWIFT network credentials: Credentials providing access to SWIFT operator interfaces should use hardware security module (HSM) backed key management, with access restricted to authorised operators, logged at the transaction level, and rotated on a schedule consistent with SWIFT’s Customer Security Programme requirements. Dynamic credentials that expire after a defined session window reduce the risk of stolen SWIFT operator credentials being used outside a valid session.
• ACH (Automated Clearing House) API security: ACH origination requires authentication of the originating financial institution. API credentials used in ACH origination systems should be dynamic, scoped to the specific origination function, and accompanied by transaction-level audit logs that satisfy NACHA Operating Rules requirements for originator authentication and record retention.
• FedNow instant payment credential management: FedNow, the Federal Reserve’s real-time payment rail, requires authenticated access with strong credential controls. The low latency and irreversibility of instant payments make credential security particularly critical: an attacker with valid FedNow origination credentials can initiate transfers that settle in seconds and cannot be recalled.
• Payment gateway API key security (Stripe, Braintree, Square): Payment gateway API keys should never be hardcoded in application code or stored in plaintext configuration files. They should be stored in a centralised secrets manager, rotated on a defined schedule, scoped to the minimum required permissions (for example, a key used to process charges should not have the ability to issue refunds), and monitored for usage anomalies.
• Transaction signing key management: High-value transfers often require digital signatures to authenticate the originating institution. Signing keys should be stored in an HSM or an HSM-backed secrets management platform, with access strictly limited to authorised signing processes and every signing event logged. For transfers above defined value thresholds, dual-control requirements (requiring two authorised identities to approve a signing operation) provide an additional layer of protection against insider manipulation.

PCI DSS v4.0 cardholder data environment requirements and NACHA Operating Rules security requirements both impose specific controls on the credentials used in payment transaction systems. A centralised secrets management platform that provides FIPS 140-2 compliant encryption and comprehensive audit logging satisfies both sets of requirements from a single platform.

Akeyless for Financial Services: Unify Secrets and Machine Identity Management

Akeyless is the first-ever Unified Secrets and Machine Identity Management Platform, designed to address the full lifecycle of secrets and non-human identities in regulated environments. For US financial institutions operating under GLBA, SOX, NY DFS Part 500, PCI DSS, and FFIEC guidance, Akeyless provides the technical controls that map directly to regulatory requirements:

• Zero-Knowledge Encryption (DFC): Akeyless’s Distributed Fragments Cryptography ensures that only the customer holds access to their secrets. Not even Akeyless can decrypt stored credentials. This architecture eliminates third-party access risk to sensitive banking credentials, satisfying GLBA and NY DFS Part 500 requirements on encryption and access control.
• FIPS 140-2 Compliant Key Management: Required for US federal and regulated financial environments, FIPS 140-2 compliance provides the cryptographic standard validation that OCC and FDIC examiners increasingly require as evidence of key management controls.
• Just-in-Time Access and Secret Rotation: Persistent credentials are replaced with on-demand, time-limited secrets generated for specific sessions or transactions. Automated rotation policies cover all credentials that cannot yet be replaced with dynamic alternatives.
• SOC 2 Type II Audit Trail: Akeyless maintains a SOC 2 Type II certified audit log of all credential access events, providing the independent verification that financial institution auditors and regulators require as evidence of access control effectiveness.
• PCI DSS-Aligned Access Controls: Role-based access control, MFA-gated vault access, and comprehensive logging for cardholder data environment credentials satisfy PCI DSS v4.0 Requirements 7, 8, and 10 from a single platform.
• Multi-Cloud and Hybrid Support: Native integrations with AWS, Azure, GCP, and on-premises systems provide a single control plane for financial institutions operating across hybrid cloud architectures.
• Seamless DevOps and API Integration: Integrations with GitHub Actions, Jenkins, GitLab CI, and Kubernetes ensure that secrets management controls extend to the CI/CD pipelines where financial applications are built and deployed, not just the production systems where they run.

Some of the world’s largest banks and financial institutions trust Akeyless to manage their secrets and non-human identities. If you are evaluating Akeyless for your institution, we can connect you with reference customers at other financial institutions who have offered to serve as peer references.

Conclusion: Future-Proofing Your Financial Institution’s Security

Secrets mismanagement in financial services is not a theoretical risk. It is the documented root cause of nine-figure losses, multi-year regulatory enforcement actions, and customer trust failures that take years to repair. The IBM and Verizon research is consistent: credential-based attacks are the dominant entry vector, the slowest to detect, and the most expensive to remediate. The unique structure of financial institution infrastructure, including payment rails, real-time settlement systems, and highly regulated customer data, amplifies the consequences of every credential exposure.

Addressing this requires a shift from treating credentials as static artifacts to managing them as dynamic, lifecycle-controlled identity tokens with the same rigour applied to human user accounts. US regulators under GLBA, SOX, NY DFS Part 500, FFIEC, PCI DSS, and NIST CSF 2.0 are not converging on secrets management requirements by coincidence. They are converging because credential abuse is consistently the mechanism by which financial institutions are compromised.

Institutions that adopt a structured approach to secrets management not only reduce their breach exposure and regulatory liability; they also eliminate the operational bottlenecks that manual credential management creates in DevOps pipelines and cloud deployments. Security and velocity are not in conflict when credentials are dynamic, centralised, and automatically managed.

Get a Customized Demo of Akeyless Today

A customized Akeyless demo walks through how the platform maps to your institution’s specific regulatory requirements (GLBA, NY DFS Part 500, PCI DSS, SOX), how dynamic secrets and JIT access are implemented for your specific banking architecture, and what the migration path looks like from your current credential management approach.

Schedule a customized demoBook a customized demo  or  start free today.

Frequently Asked Questions

What are the most critical security challenges for financial institutions?

The most critical and consistent challenges are credential-based: stolen API keys, compromised database credentials, hardcoded secrets in application code, and over-privileged service accounts that provide attackers with lateral movement capability once a single credential is compromised. These are compounded by the multi-cloud complexity of modern banking infrastructure, which creates credential sprawl across environments that is difficult to inventory and audit. Regulatory pressure from GLBA, SOX, NY DFS Part 500, FFIEC, and PCI DSS adds compliance liability to the technical risk, making credential management a board-level concern rather than an IT operations task.

What are the best practices for securing financial institution data?

The highest-impact practices for US financial institutions are: replacing static credentials with just-in-time, dynamic secrets; centralising all credential storage in a secrets management platform with encryption and audit logging; automating rotation on a defined schedule and by event trigger; implementing zero-trust access so that no credential is available persistently; and scanning continuously for exposed credentials in source code, CI/CD pipelines, and container images. Each of these practices maps directly to requirements in GLBA, NY DFS Part 500, PCI DSS v4.0, and NIST CSF 2.0. Together, they address both the technical attack surface and the regulatory evidence requirements that auditors and examiners evaluate.

How does secrets management help with PCI DSS compliance?

PCI DSS v4.0 imposes specific credential management requirements across multiple controls. Requirement 8 mandates strong authentication and unique credentials for all system components, prohibits the use of shared or generic accounts, and requires MFA for all administrative access. Requirement 7 limits credential access to only what is necessary for each role. Requirement 10 requires comprehensive logging of all access to system components and cardholder data. A centralised secrets management platform satisfies all three requirements simultaneously: it enforces unique, scoped credentials per service and environment, gates all credential access behind authenticated policies, and generates immutable audit logs that provide the evidence PCI DSS auditors require for compliance certification.

How can banks secure financial transactions against credential theft?

The most effective approach is eliminating static credentials from transaction systems entirely. For payment gateway integrations, this means dynamic API credentials that are generated per session and expired after use. For SWIFT network access, it means HSM-backed signing keys with session-scoped operator credentials and dual-control requirements for high-value transfers. For ACH origination systems, it means dynamic credentials scoped to origination functions, with transaction-level logging that satisfies NACHA audit requirements. Secrets management platforms that support dynamic secret generation, HSM-backed key management, and granular access policies address all of these transaction security requirements from a single platform, rather than requiring separate credential management implementations per payment rail.

Related Articles

• The Hidden Risks of Secrets Mismanagement in CI/CD Pipelines
• API Key Management: Why API Keys Are Insecure and What to Do Instead
• Solving the Secret Zero Problem
• How to Choose a Secrets Management Vault
• Go Vaultless with Akeyless
• Secrets Management: Platform Overview
• What Is Identity Security and Why It Matters for Businesses