RSS Alerts
Mohan Koo of Dtex Systems says the Morgan Stanley incident should be a wake-up call for all financial services organizations

Share

More services

Related Links

  • Dtex Systems
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Morgan Stanley Smith Barney: Losing data, and client trust, the old fashioned way
    Brokerage firm Morgan Stanley Smith Barney recently admitted that personal information on 34,000 investment clients had been lost in the mail, and possibly stolen.
  • Data Breach Spring
    Infosecurity’s Drew Amorosi examines three data breach incidents from the past few months that, by their nature, keep security vendors in business, regulators busy, and CISOs up at night. Find out why industry observers think this rash of massive breaches could lead to a ‘PCI for consumer privacy’
  • Keeping sensitive information secure when staff is leaving
    Career loyalty is an endangered creature. Unlike our predecessors, today’s workforce is unlikely to stay committed to a job for five years, let alone their entire lives. But with such a fluid stream of employees keeping human resources busy, and countless eyes being cast over company data, Rob Stringer investigates how sensitive information can stay faithful to its organisation, even if its staff don’t...
  • A Superior (infosec) Education
    As the information security industry becomes more coveted, Wendy M. Grossman takes a look at the university courses available to aspiring and competing infosec professionals on both sides of the Atlantic
    Members' Content
  • The Good, the Bad, and the Ugly Insider Threats
    Whether intentional or unintentional, insider threats take many forms. The (ISC)² US Government Advisory Board Executive Writers Bureau examines this dichotomy and how it is being affected by both regulatory considerations, and the rapidly changing technology landscape
    Members' Content

Top 5 Stories

Feature

Comment: We All Need to Keep Closer Tabs on Financial Data

08 September 2011
Mohan Koo, Dtex Systems

Mohan Koo, managing director of Dtex Systems, explains how recent data breaches show that organizations are focusing on external security while neglecting insider threats

In early July, it emerged that brokerage firm Morgan Stanley Smith Barney lost unencrypted CDs containing 34,000 customer addresses, account numbers and tax ID numbers. Although it’s a serious challenge for all of us when sophisticated hackers break through security systems to steal sensitive data, the careless loss of unprotected financial information is hard to believe in this day and age. The problem is that the vast majority of data breaches are still caused by negligence, poor data handling standards and inadequate controls within organizations.

The image of hackers penetrating external security, as in the case of the recent Sony, Sega and IMF attacks, tends to fit with most people’s conception of cyber-security: bad guys try to get in, security systems try to keep them out. But the Morgan Stanley breach is more typical in many ways, and also more worrying, not just because of the nature of the data that was lost, but because of the manner in which it occured.

Like the vast majority of information security breaches, the Morgan Stanley incident originated internally. As documented in a recent study by McAfee and SAIC, the most significant threat reported by organizations surveyed was data leaked accidentally or intentionally by employees. In the case of Morgan Stanley, it appears to be an honest – albeit costly – mistake. In plenty of other examples, data breaches are due to deliberate leaks from inside the organization.

Whether deliberate or accidental, the risks posed by internal security vulnerabilities receive far less attention – and, consequently, less funding – than outsider attacks. The fact is that large companies that hold important data, such as the financial services industry, are not watching what happens inside their network as closely as they should. They are relying on systems to block malicious threats, but not paying attention to how their data is moving around within these systems, and are thereby failing to enforce basic security procedures.

The solution to this is more active management of data handling activities, supported by closer monitoring. This means that systems must be in place to track data being created, stored, shared, copied, moved or deleted, as well as data going in and out of the organization. Ultimately, all of these activities should be mapped to the security policy so that any action that is deemed a breach of policy can be immediately identified.

This starts with having an adequate security policy to govern the way that data is created, stored and shared. Monitoring can then facilitate policy enforcement by, for example, informing employees if they have breached the policy before it becomes a problem (e.g., burning a CD without encryption), flagging anything suspicious, and/or maintaining an audit trail that can be traced back if something does go wrong.

Creating a detailed audit trail is the only way to ensure a clear view of how data flows into and out of an organization, enabling potential threats to be investigated and mitigated at the earliest opportunity.

The mere presence of a data monitoring system removes the temptation for users to break the rules. If an infringement does occur, the company will have the offending user’s activity logged and can therefore accurately judge whether the action was accidental, or if the violation was committed with intent.

This is not just about losing CDS, but the broader range of internal threats. They include mis-sent emails, attaching data storage devices to work machines that have been infected from other networks, deliberately leaking information to competitors or the media, or copying company secrets and using them to one’s own advantage. All of these have led to significant financial and reputational losses for companies in the past few years – and that’s just from stories we know about.

The only alternative to this is excessively locking down systems, which prevents employees from doing their job effectively and makes for a pretty miserable workplace. It also leads to a culture of backdoor security risks that are harder to locate.

Staff who don’t feel that they are trusted often become disgruntled employees, and look for alterative places of employment – and frequently look to take company data with them. It is far better to give employees the freedom to do their job, but let them know that if they don’t follow security policy, or act in a way that intentionally harms the company, they will be spotted, stopped and possibly disciplined.

Greater scrutiny is the inevitable cost of adequate security. This is not about surveillance of staff, but having systems in place to flag when customer data is not being handled in accordance with company policy and/or government regulations. Ultimately, this is about a customer’s right to know that his or her private data will be handled with due care and the assurance that if it isn’t, the breach will be spotted in time.

The Morgan Stanley incident should be a wake-up call for all financial services organizations. If they don’t know what their insiders are doing with data, and cannot detect when proper security practices are being bypassed, they will not be trusted to handle the financial information of their customers. For many years now, financial companies have been driven by the motto ‘Know Your Customer’. Perhaps it’s time they shifted focus to ‘Know Your Insider’.

Mohan Koo is MD of Dtex Systems, which develops software for employee monitoring. Mohan has led multinational teams in the delivery of specialized information security consulting, customized security solutions development and investigative incident response projects for defense, government, international banking and a diverse range of other organizations. He has driven the Dtex Group’s global expansion throughout Asia-Pacific, EMEA and South America.

This article is featured in:
Compliance and Policy  • Data Loss  • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012