Context is key to addressing information leaks

Security professionals in today’s stringently regulated financial industry face a daunting challenge in protecting the wealth of valuable information flowing through a company’s IT systems.  Recent data breaches and the subsequent, hard-hitting repercussions, highlight the direct and immediate relevance of these incidents to any financial organisation.  As more breaches are exposed, this also indicates that – perhaps – this is a challenge endemic in the entire industry and one which won’t go away.  That’s why addressing data leakage is a strategic, Board-level matter, says Mark Murtagh, product director of information leak prevention, at Websense.

Board directors need to recognise that, historically, efforts of IT groups have focused on preventing security threats that originate from external criminal activity outside a company’s boundaries. Although this must remain a priority, today’s real-time media landscape also thrives on news about leaked information. For the general public, the media focuses on reporting the loss of personally identifiable information. Inside the financial community, the debate typically centres around the untimely exposure of sensitive data such as merger and acquisition plans as well as other stock market data.

This very public pressure only adds to the complexity of staying ahead in the security game. Some of the traditional performance indicators in data-driven businesses – system availability, transaction speed, ROI – are potentially overshadowed by a new set of criteria which can surface in the case of one, isolated incident. The repercussions a single data leak can have, makes this an issue which exceeds the remit of IT functions. From the retail industries’ most talked about incident one can learn, that, as the media coverage is starting to subside, more tangible effects are surfacing. The company in question was forced to record an after-tax cash charge of approximately $118 million in its second quarter alone, with a further non-cash charge in the region of $21 million (after tax) to be recorded in its next fiscal year. These numbers reflect the Company’s best estimate of the total potential cash liabilities from pending litigation, proceedings, investigations and other claims.

For stakeholders with overall responsibility for business success, recent research on data leak incidents from the Ponemon Institute might come as a surprise.  This estimates that less than 15% of information loss comes from internal theft and malicious employees, compared with 80% of leaks being unintentional or mistakes: For example, an employee copies data to a location that is exposed to the web or sends sensitive data to the wrong email address. Up to now, this is likely to be the most overlooked area in IT security strategies and yet Gartner analysts say that data leaks are the greatest security risk to businesses overall.

A recent independent survey of European SMBs commissioned by Websense found that 35% of employees had sent work documents to their personal email accounts to work on them from home.  This is a classic example of where honest employees could leak sensitive information with no malicious intent, simply by sending an attachment containing confidential data.

Unintentional or accidental disclosure of sensitive data can occur in a variety of scenarios. Driven by overall industry trends, many financial organisations rely on a combination of internal and external IT resources to support every aspect of their business operations. It is here, in the area of outsourcing, where security considerations are often compromised. With strong public opinions surrounding the outsourcing of customer contact centres, it is easy to see why any data leak would get immediate media attention.

A recent survey of over 100 international security professionals, conducted by Websense at this year’s e-Crime Congress in London, found that 95% of those polled agreed that companies would not be confident they would know about a data leak when and if it happened. 

Organisations considering to cut costs by outsourcing entire application development centres need to consider higher staff turnover rates, lower loyalty levels and ubiquitous internet access as contributing factors that increase the risks for future business strategy data to leak. By using web-based email, popular instant messaging services and online storage sites, employees – in a few clicks of the mouse – render millions of IT spend in securing messaging systems obsolete, and are ultimately placing their own workstation and their company's network at risk to data loss.

Fortunately, these mistakes are the easiest to control. Unlike the outside environment, business owners have the ability to reshape operations to reduce risk and improve employee behaviour. In addition to preventing staff from leaking sensitive information (e.g. personally identifiable information (PII), investment advice, or communications with a financial advisor) to the outside world, organisations need to build internal measures to control the sharing of information between individuals and departments. This could include limiting the capture and use of customer data for marketing purposes in the back office or the monitoring of internal information exchange on the trade floor.

Information leak prevention (ILP) technologies focus specifically on keeping sensitive data inside the company. In addition to the obvious security benefits, ILP technology facilitates ongoing auditing requirements by monitoring all communication protocols in the enterprise to identify potential data breaches. ILP solutions proactively search for and identify data that is likely to be sensitive in order to intercept it before it gets into the wrong hands - all without disrupting daily business.

Moreover, context is necessary to distinguish between sensitive and innocuous data to provide accurate information controls. Downloading data to removable media devices such as flash memory cards and USB drives might be acceptable in certain instances. However, if large portions of an internal database are accessed in an outsourced customer contact centre with a view to extracting the information, this might be an incident that needs further investigation.

Information leak prevention technology is a very effective way to augment existing security investments that protect against targeted attacks from the outside.  It applies the same capabilities in terms of data analysis and granularity of policy control to monitor information flow, not only between corporate offices, but also between trusted business partners – for example, the business and its outsourced service providers.

The business reality is shaped by constant change. Impending mergers, ongoing integration of legacy systems and the increasing speed of information exchange place more and more emphasis on being able to determine quickly who to trust and what levels of information they can be entrusted with. A good example of this in the financial services industry is the information exchanges between retailer and payment card provider. The recently introduced PCI-standard will improve security measures and help put a financial obligation on negligent participants in the processing of electronic payments. For financial organisations to succeed in this endeavour, they will need to lead by example and introduce advanced mechanisms to prevent misuse of card details or intentional data theft facilitated by an employee within the organisation

Unlike traditional technology approaches, ILP solutions look to examine the content of the material being sent and correlate this information with current security policies.  Therefore, financial companies can take a very proactive approach to monitoring and preventing data from leaking out via P2P file sharing, network printers, email, IM or other ways.

The “patch for human error”
In a scenario where an employee working for an investment bank copies and pastes confidential details of a restricted document into an email or web-mail, the ILP solution should be able to:

• prevent this information from accidentally being leaked to the wrong recipient,
• enforce this information to be encrypted before being sent,
• instantly alert the appropriate manager to investigate the incident.

ILP technology can also discover where information is transmitted to and by whom, thereby facilitating the automation of otherwise resource-intensive audit requirements.

Information leaks are very often invisible to IT systems and to those tasked with managing security issues. However, there is no denying the seriousness and associated cost of the data leakage problem. According to a Ponemon Institute Customer Trust Survey, companies that suffer a breach of only 100,000 records containing personally identifiable information can expect to lose almost a third of customers for good.  Further research estimates the average cost of a data breach to be $182 per compromised customer record. However, these figures do not include any indirect costs such as brand damage, loss of future revenue, regulatory fines or even civil lawsuits.

Both companies and employees must be made aware of the potential risks that increasingly flexible computing practices pose on an individual as well as on a corporate level. One of the most effective ways to reduce the risk of sensitive information loss is not just managing data access, but managing what actions can then be performed on the data by the users who have been granted access.

Companies such as Websense offer Board members the tools and the expertise to analyse current patterns of information access as well as workflows and can be of assistance in making an informed decision about the data integrity itself.

Board directors need to recognise that, while the possibility of insider theft remains a threat, this represents only one aspect of the overall security landscape. The vast majority of significant internal risks cannot be traced back to malicious intent on the part of the employee. As the majority of data leak incidents are accidental, financial organisations need to consider the merits of exercising much tighter management over how data leaves the organisation and to whom it can be distributed to.