Blog

Tag: Financial Services

You Really Need Persistent Data ProtectionDespite significant security investments made by organizations, data breaches of sensitive information continue at an alarming rate. There are many contributing factors to this situation such as the ever increasing rate of data collection as well as cloud computing, outdated security standards and controls, and flawed applications with security vulnerabilities.

Today’s bad guys are well funded, skilled and organized. When they set their sights on something like personal health information (PHI) or intellectual property (IP), they are quite effective at getting at the crown jewels.

For so long, organizations have spent their money, resources and time on traditional approaches like network, device and application security. While these fundamental security measures are still necessary, relying on them solely isn’t enough today.

Businesses need to fundamentally change their approach to security and focus more on the data layer itself. A good way to start down this path is to discover and classify sensitive data. Unfortunately, many companies still do not have an inventory on their unstructured data – files and documents. They say they do and they believe they do, but in reality, there are bits and pieces of sensitive information copied on desktops, devices, and file shares. There are multiple copies scattered all around.

Once a company gets a handle on its sensitive data, then it can think about classifying it.  Classification will help an organization encrypt certain types of data in storage, in transit and/or while the data is in use by authorized users. In some cases, there may not be any need to encrypt public data as it might not contain sensitive information. Many people emphasize the need for classification due to shortcomings in data loss prevention (DLP) tools. Surely data classification can make DLP more effective. However, in larger environments there are far too many other applications and use-cases that can benefit from data/file classification.

Based on the type of classification, certain data may only need protection using simple encryption while in storage or while in transit, or they can be protected by more sophisticated solutions like enterprise digital rights management (EDRM) to control not only who can access the data, but how authorized users can use the sensitive data and for how long.  Businesses can monitor activity by user and have real-time ability to detect deviations that differ from normal user activities or processes.

Today, many companies in the financial services industry are leading the way as they implement additional layers of security to their existing postures by implementing persistent data security and ensuring that sensitive information is protected all the time, regardless of location.

We are reminded again and again as we read daily about the data breaches in the news that protecting sensitive data is a complex challenge. It requires a layered data protection strategy, time, money, resources and management support. Implementing individual data-centric solutions without a comprehensive framework can lead to critical gaps in the security posture of an enterprise. Traditional measures must be supplemented with persistent data-centric security to stop the loss of sensitive information.

 

Photo credit reynermedia

SEC Stresses Data Security After Settlement with Morgan StanleyThe Securities and Exchange Commission (SEC) told financial firms they must take data security more seriously in the wake of a settlement with Morgan Stanley over the theft of customer data by a former employee.  In 2015, the employee transferred information from approximately 730,000 client accounts to his personal server.  He copied names, addresses, account numbers, investment information and other data to his home computer so he could work on it.  He did this without permission and was interviewing at the time with two Morgan Stanley competitors.  Some of the data was posted online and for sale to hackers, who eventually compromised the company and its clients.

Morgan Stanley did not implement sufficient policies or controls to restrict internal access and protect customer data as required under the SEC’s Safeguards Rule.  The SEC also sighted flaws in its monitoring of employee access and use of portals to allow access to client data.  This is unfortunately a common occurrence in the financial services and other industries.  Morgan Stanley was more focused on hackers breaking into the company than on controlling access for authorized employees.

“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” Andrew Ceresney, director of the SEC’s enforcement division, said. “We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”

Morgan Stanley reached a settlement with the SEC over charges that it breached US law without admitting or denying the findings. As part of the settlement Morgan Stanley agreed to pay the regulator a $1 million penalty.  I find this no more than a slap on the wrist.  Morgan Stanley probably makes more than this in a day, so the affect to its bottom line is negligible.  Unfortunately this may not make the company improve its data security practices, since the risk to its business may be minimal.

The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access.  This protects the information regardless of location or file format.  The company could have prevented the employee from accessing the information on his home computer by setting appropriate policies.  If hackers stole that data, it would be useless to them, since it was encrypted and the hackers had no authorization to access it.  Once the employee left the company, his access could be immediately revoked for anything he legitimately had.  If Morgan Stanley suspected any behavior out of the norm, a full audit trail of activity could have alerted them to suspicious activities.

These measures can help the financial services industry meet financial regulations and safeguard customer data by ensuring the company is always in control of its digital assets.

 

Photo credit Chris Potter

Categories
Book a meeting