Comment: Financial Institutions Must Plug Insider Leaks

Romp says, now more than ever, financial organisations are vulnerable to the threat of both fraudulent and accidental loss of sensitive data from the actions of ‘insiders’
Romp says, now more than ever, financial organisations are vulnerable to the threat of both fraudulent and accidental loss of sensitive data from the actions of ‘insiders’
Simon Romp, Rule Financial
Simon Romp, Rule Financial

Since the start of the year, reports of bank workers leaking data to external sources have been on the rise. One such report was of Rudolf Elmer, the Julius Baer banker who passed on the account details of 2,000 prominent figures to controversial WikiLeaks founder, Julian Assange. More recently, a major UK-based global bank was disciplined by Swiss regulators after an employee stole data on 24,000 customers, causing incalculable damage to the bank’s reputation. The media coverage and regulatory condemnation highlights the growing scrutiny that banks are under and demonstrates the need to tighten controls to avoid future data loss.

In an age where technology enables large amounts of data to be captured and stored easily, and with WikiLeaks continuing its assault on governments and financial institutions, the need for all organisations to better protect themselves is becoming ever more critical. More significantly, however, the latest developments have underlined how organisations are vulnerable to the threat of both fraudulent and accidental loss of sensitive data from the actions of ‘insiders’ (be they bank employees or subcontractors). While most organisations have secured their networks from external threats, in the absence of thorough user auditing and control systems there remains an immediate risk from the bank’s own staff, contractors and outsourcing partners.

Part of the problem is that bank staff often have inappropriate access to systems and sensitive data, thereby creating serious security threats. Even if all users are limited to only the systems they need access to for their day-to-day job, there remains no guarantee that these users will act responsibly when using their access rights. This is especially true where there are inadequate levels of accountability.

Typically, managers in a bank have to annually certify that their staff have the appropriate access to carry out their roles. However, these managers have so much information to reconcile, that they cannot possibly perform this audit comprehensively.

At the same time as trying to prevent the loss of data, banks need to keep their business fluid and responsive, as well as maintain effective controls within a set of cost constraints. Add to this the need to respect employees’ privacy rights, and financial institutions are left with myriad issues that they need to address.

Ultimately, there needs to be an element of trust between an organisation and its employees; the majority are fluid organisations and not the Ministry of Defence! In business, locking all systems and data sources down and frisking employees as they leave the building is not the way to go.

With all of this in mind, it is clear that an holistic approach is necessary, whereby a technical solution is in place to ensure data is not leaked, and this is backed up by processes and training. The first step is to understand the data at risk of being compromised and then to determine who has access to the information. This requires an audit of existing processes, controls and user activity, and is essential to identify if and where there is potential for data loss. Once the data security requirements have been outlined, a data security policy can be devised, which takes into consideration legal and privacy laws on a regional basis; bearing in mind that for an international organisation, such laws differ from region to region.

The next step is to educate all employees regarding the policy. This is a crucial step in terms of addressing the human element in data leakage, because no matter what systems and processes a company may put in place, if an employee wants to steal data, they will find a way of doing so. Raising awareness amongst the workforce of the seriousness of data leakage must therefore be company-wide and driven from the board level down. For any training on data security to be effective it must be easy to consume and targeted specifically for each type of employee group, from client-facing staff, to back office systems administrators, trading personnel, and so on; each will have different access to different types of sensitive data and a personal approach to how the data is maintained and used.

Increasing awareness of data leakage and its implications should be a continuous process, rather than being delivered through one-off training sessions. One global bank that has recently implemented a thorough data security policy has undertaken a high-profile internal poster campaign to constantly remind workers of the impact of data loss for their company, much like a ‘no smoking’ campaign. Only when employees are educated about the corporate data security policy can the rules as to what is, and what is not, acceptable be enforced. At this point technical solutions can then be implemented to restrict and monitor the channels through which employees consume data, such as networks, email, telephone or portable devices.

It is clear that banks must ensure the correct systems and procedures are in place to prevent data loss wherever possible. However, in addition to this, a cultural change is required, and a sense of ‘belonging’ needs to be created amongst employees to drive home the message on data loss. Only then can the insider threat be reduced, enabling financial institutions to take the appropriate measures to address data leakage points – measures certainly worth taking to avoid or else come under the regulator’s, or indeed WikiLeaks’, watchful eye.

Simon Romp joined Rule Financial in 2004 as a principal consultant. He has led the Service Management Practice since joining and has been accountable for over 100 Rule Financial engagements, covering a diverse range of domains and disciplines, including IT security, data loss prevention, capacity planning, system and application audits, architecture reviews, performance tuning, non-functional testing, IT consolidation, and cost rationalisation. For the past 15 years Romp has worked solely within the financial services sector, providing him with an in-depth understanding of systems and infrastructure within the sector. His previous assignments include lead roles at Deutsche Bank, Barclays Capital, Fidelity Investments and Bank of America.

What’s Hot on Infosecurity Magazine?