In early July, it emerged that brokerage firm Morgan Stanley Smith Barney lost unencrypted CDs containing 34,000 customer addresses, account numbers and tax ID numbers. Although it’s a serious challenge for all of us when sophisticated hackers break through security systems to steal sensitive data, the careless loss of unprotected financial information is hard to believe in this day and age. The problem is that the vast majority of data breaches are still caused by negligence, poor data handling standards and inadequate controls within organizations.
The image of hackers penetrating external security, as in the case of the recent Sony, Sega and IMF attacks, tends to fit with most people’s conception of cyber-security: bad guys try to get in, security systems try to keep them out. But the Morgan Stanley breach is more typical in many ways, and also more worrying, not just because of the nature of the data that was lost, but because of the manner in which it occured.
Like the vast majority of information security breaches, the Morgan Stanley incident originated internally. As documented in a recent study by McAfee and SAIC, the most significant threat reported by organizations surveyed was data leaked accidentally or intentionally by employees. In the case of Morgan Stanley, it appears to be an honest – albeit costly – mistake. In plenty of other examples, data breaches are due to deliberate leaks from inside the organization.
Whether deliberate or accidental, the risks posed by internal security vulnerabilities receive far less attention – and, consequently, less funding – than outsider attacks. The fact is that large companies that hold important data, such as the financial services industry, are not watching what happens inside their network as closely as they should. They are relying on systems to block malicious threats, but not paying attention to how their data is moving around within these systems, and are thereby failing to enforce basic security procedures.
The solution to this is more active management of data handling activities, supported by closer monitoring. This means that systems must be in place to track data being created, stored, shared, copied, moved or deleted, as well as data going in and out of the organization. Ultimately, all of these activities should be mapped to the security policy so that any action that is deemed a breach of policy can be immediately identified.
This starts with having an adequate security policy to govern the way that data is created, stored and shared. Monitoring can then facilitate policy enforcement by, for example, informing employees if they have breached the policy before it becomes a problem (e.g., burning a CD without encryption), flagging anything suspicious, and/or maintaining an audit trail that can be traced back if something does go wrong.
Creating a detailed audit trail is the only way to ensure a clear view of how data flows into and out of an organization, enabling potential threats to be investigated and mitigated at the earliest opportunity.
The mere presence of a data monitoring system removes the temptation for users to break the rules. If an infringement does occur, the company will have the offending user’s activity logged and can therefore accurately judge whether the action was accidental, or if the violation was committed with intent.
This is not just about losing CDS, but the broader range of internal threats. They include mis-sent emails, attaching data storage devices to work machines that have been infected from other networks, deliberately leaking information to competitors or the media, or copying company secrets and using them to one’s own advantage. All of these have led to significant financial and reputational losses for companies in the past few years – and that’s just from stories we know about.
The only alternative to this is excessively locking down systems, which prevents employees from doing their job effectively and makes for a pretty miserable workplace. It also leads to a culture of backdoor security risks that are harder to locate.
Staff who don’t feel that they are trusted often become disgruntled employees, and look for alterative places of employment – and frequently look to take company data with them. It is far better to give employees the freedom to do their job, but let them know that if they don’t follow security policy, or act in a way that intentionally harms the company, they will be spotted, stopped and possibly disciplined.
Greater scrutiny is the inevitable cost of adequate security. This is not about surveillance of staff, but having systems in place to flag when customer data is not being handled in accordance with company policy and/or government regulations. Ultimately, this is about a customer’s right to know that his or her private data will be handled with due care and the assurance that if it isn’t, the breach will be spotted in time.
The Morgan Stanley incident should be a wake-up call for all financial services organizations. If they don’t know what their insiders are doing with data, and cannot detect when proper security practices are being bypassed, they will not be trusted to handle the financial information of their customers. For many years now, financial companies have been driven by the motto ‘Know Your Customer’. Perhaps it’s time they shifted focus to ‘Know Your Insider’.
Mohan Koo is MD of Dtex Systems, which develops software for employee monitoring. Mohan has led multinational teams in the delivery of specialized information security consulting, customized security solutions development and investigative incident response projects for defense, government, international banking and a diverse range of other organizations. He has driven the Dtex Group’s global expansion throughout Asia-Pacific, EMEA and South America.