An information security manager is conducting a risk mitigation assessment for a financial institution. During the assessment, they identify the risk of unauthorized access to customer financial data. Which of the following is the best risk mitigation strategy to reduce this risk?