July 11, 2011 – The onslaught of data breaches and information leaks most assuredly will continue as companies struggle to operate and share information securely in a more mobile world.
Nowhere is this more evident than in the area of securities or financial services, where sharing confidential and sensitive information is a mainstay –from confidential M&A transaction information to investment research and investment ‘pitch books.’
Just this past month, two compact disks belonging to Morgan Stanley Smith Barney, containing personal information on 34,000 customers, were lost on their way to the New York State Department of Taxation and Finance, for instance. They were password-protected – but not encrypted.
Because of the very nature of the business, financial organizations are key targets for fraud, intrusion and information abuse. On top of this, the convenience and growing use of tablet PCs and smartphones, which create tremendous value for customers, exposes security gaps and new risks by enabling customers and employees alike to store sensitive data on personal devices.
Technology departments can ensure that data crossing their networks is encrypted while on their network; however, this provides no guarantee of the security of the data once it leaves the network. And what happens if mobile devices containing sensitive information are lost or stolen?
If investment bank research information is leaked to a trading floor, for example, insider trading concerns can spring up and catch the SEC’s attention. On the other side of the coin, if investors do not have secure access to authorized research they’ll lack the information necessary to green light financing.
So, what can companies do to address these unique challenges in the age of WikiLeaks?
Protect files, in addition to systems.
When data travels beyond the boundaries of the company network, what form does it travel in? The file. The ability to embed security mechanisms directly into files themselves in native file formats remains missing in modern IT security strategy.
With advanced file protection, financial organizations can protect information automatically without changing how users currently work. It can enforce usage and protection policies for groups of sensitive files, embedding specific policies that determine how sensitive files that meet a certain criteria can be used, to limit who is allowed to open or forward such files. Having the ability to enforce policies can allow investors, analysts and others to share information safely and ensure that sensitive documents do not fall into the wrong hands.
By monitoring the use of sensitive information and protecting it from misuse through file tagging and tracking, it is possible to return to a state of accountability. If files are tagged (for example, with visible and/or invisible digital watermarks), organizations can track that data as it travels outside of the corporate network, capturing detailed file usage activities in real-time and alerting IT staff to unauthorized access immediately.
When attacks occur, immediate warning and detection can mean the difference between ‘business as usual’ and widespread catastrophe. If a business monitors where information goes out of its network, over time it can begin to understand employees’ habits and behaviors. This knowledge can heighten an organization’s ability to identify changes to pattern behavior and take appropriate action.
Imagine an investment banking employee’s laptop is the victim of a malware attack, and that employee has unfortunately stored a number of investment ‘pitch books’ containing highly confidential deal terms in PowerPoint form in an email. If the PowerPoint files had been tagged, the IT department would be able to track and determine where the files are being read and even ‘kill’ them remotely if needed, thus, at the least identifying who is responsible for a leak of deal terms, and, at the most, minimizing the risk of insider trading, compliance violations and stopping a potential leak altogether.
Organizations should continue to comply with best practices for implementing traditional ‘depth in defense’ systems (using virtual private networks, identity management, firewalls, device protection, intrusion prevention and detection, etc.), and certainly are required to follow privacy policies and Securities and Exchange Commission regulations for handling sensitive information to help mitigate risks and punish offenders.
Current security technologies successfully limit access to a company’s sensitive files and information to authorized users within the confines of their corporate networks. However, without a way to monitor or track data once it leaves a network, companies become vulnerable to disastrous attacks. File protection must be incorporated to help fill this critical gap in today’s information security strategy and enable safer sharing of sensitive information.
This article originally appeared on Securities Technology Monitor.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access