By Simon Romp,
There has been much publicity around the recent data security breaches of high profile firms such as Citibank and the International Monetary Fund (IMF). While these have made anti-heroes out of the hacking collectives LulzSec and Anonymous, the attacks have also raised the issue of data protection once again and placed pressure on all organisations, especially financial institutions, that store sensitive personal information, to tighten up their security processes and policies. While the need to prevent hackers from penetrating a company’s defences is paramount, banks should avoid making knee-jerk reactions in response to headline grabbing incidents. Instead, banks need to take a step back and take a pragmatic approach to data security. A part of this approach must recognise the risk of data being leaked from inside the organisation as well as reinforcing the company walls from external threats.
According to statistics released by Cifas, the UK’s fraud prevention service, insider fraud is on the up. They have seen a 63 per cent increase in instances of insiders stealing or disclosing confidential data in 2010 compared with 2009. This demonstrates the increasing awareness of the value of personal data to organised criminals. This trend was found to be more common with younger members of staff with 29 per cent aged under 21 being guilty of data-related theft, compared with only three per cent aged 41- 50 and not a single instance of anyone aged over 50 committing such offences.
Further to these findings, reports of bank workers leaking data to external sources have been on the rise since the start of the year. One such report was of Rudolf Elmer, the Julius Baer banker who passed on the account details of 2,000 prominent figures to Julian Assange, the founder of controversial whistle-blowing website WikiLeaks. Following that, a major UK-based global bank was disciplined by Swiss regulators after an employee stole data on 24,000 customers, causing incalculable damage to the bank’s reputation. This regulatory condemnation and the media coverage of recent data theft cases highlights the growing scrutiny that banks face and reaffirms the need to tighten controls to avoid future data loss.
What these examples of insider collusion demonstrate as well is that we live in an age where technology now enables large amounts of data to be captured, stored and moved easily. However, more significantly these incidents underline how organisations are vulnerable to the threat of both accidental and fraudulent loss of sensitive data from the actions of “insiders” (be they employees, subcontractors or vendors). While most organisations have been securing their systems from “external” threats for a number of years, in the absence of thorough user activity auditing and control systems, there remains an immediate risk from inside the perimeter.
This risk stems from a number of sources. For a start confidential data varies in both content and format, added to the fact that data is often duplicated a number of times to cover business processing requirements, business continuity and disaster recovery planning. We often find that staff also have inappropriate access to the systems and sensitive data they contain, thereby creating serious security threats as the permissions granted are complex to understand. A compounding problem arises when there are inadequate levels of accountability as, typically, managers in the banks only annually certify that staff have the appropriate access to carry out their roles. However, these managers often have large amounts of information to reconcile (with a large element of the reconciliation being manual), and as a consequence they cannot possibly perform this audit comprehensively.
Even when all users are restricted to access permissions for only those systems that they need to undertake their day-to-day job, there remains no guarantee that these users will act responsibly. With the current threat of redundancies looming over many staff which organisation can say for sure that confidential data is not walking out of the door?
While trying to prevent the loss of data, banks simultaneously need to keep their business fluid and responsive, in addition to maintaining effective controls within a set of cost constraints. Combine these pressures with the need to respect employees’ privacy rights, and financial institutions are left with a myriad of issues that they need to address. In the end, there needs to be an element of trust between an organisation and its employees along with a balance in security measures. Locking all systems and data sources down and frisking employees as they leave the building is not the best way to run a business and gain staff trust.
Taking all of this into consideration, it is clear that an overarching approach is necessary, defining clear security policies, processes and training. Implementation then has to be supported by a technical solution to ensure users are monitored and are acting in an appropriate manner. The first step in this approach is to understand where the confidential data at risk of being compromised is located and then to determine who has access to it. This requires an audit of existing business processes, security controls and user activity to identify where there is potential for data loss. Once the data security requirements have been determined, a data security policy can be devised that takes into account legal and privacy laws. It is important to note that for an international organisation such laws differ from region to region and policy therefore has to include a common framework with local additions or variations.
After this step, it is important that all employees are educated with regards to the policy. This is a crucial phase in the data loss prevention strategy in terms of addressing the human element in data leakage. At the end of the day, no matter what systems and processes a company may implement, if an employee wants to steal data, they will find a way of doing so. Educating the workforce on the seriousness of data leakage must therefore be company-wide and needs to be driven from board level down to the masses. For any training on data security to be effective it must be accessible and easy to consume. It must also be targeted to each type of employee group – from client-facing staff, to back office systems administrators and trading personnel, as each will have access to different types of sensitive data.
Raising awareness of data leakage and its implications should be a continuous process, rather than being delivered through one-off training sessions. One global bank that put into place a thorough data security strategy undertook a sophisticated internal poster campaign within all their offices to constantly remind workers of the impact of data loss for their company, much like a ‘no smoking’ campaign. Only when employees are educated about the corporate data security policy can the rules as to what is, and what is not acceptable, be enforced. At this point, technical solutions can then be implemented to restrict and monitor the channels through which employees consume and disseminate data; such as networks, email, telephone or portable devices.
Just picking up a newspaper nowadays and reading about the latest hack of a high profile organisation reiterates the need for banks to ‘know your insider’ by ensuring correct systems and procedures are put in place to mitigate the chance of data loss wherever possible. However, in addition to this, a cultural change is also required, and a sense of ‘belonging’ needs to be created amongst employees to drive home the message about data loss and ensure insider collusion with outsiders is contained. Only then can banks avoid making front page news for being Anonymous’ or WikiLeaks’ latest victim.