Don’t be the next WikiLeak: preventing document leaks starts with your users

Last December, both MasterCard and Visa’s websites were sabotaged by supporters of WikiLeaks after the companies opted to no longer offer card processing services for those donating to the controversial organization. These high profile attacks, along with the WikiLeaks phenomenon overall, serve to illustrate how very vulnerable financial services organization actually are.

While these attacks were Denial of Service attacks which shut down both company's web sites, the single biggest vulnerability within financial services organization is not outside hackers, but their own employees.  The damage to the organization, both financially and to its reputation, when a public leak occurs is just too great to ignore.

Understanding Data Loss Prevention

Currently, most financial services organizations have technologies in place to prevent malicious, intentional attacks such as the ones faced by Visa and MasterCard, but these attacks account for less than 1% of data breaches.  The single greatest risk of data loss is from the authorized user, who mistakenly sends a document or email to the wrong person.  Usually is it a harmless mistake, but it can have serious repercussions including loss of money and customers, public embarrassment, fines, lawsuits and more.

The stark reality is that Data Loss Prevention (DLP) is a major concern for financial services institutions.  The 2010 Financial Services Global Security Threat survey conducted by Deloitte found that DLP is the second highest priority after preventing external attacks, and that Data Loss Prevention technologies will be one of the most piloted technologies in 2011.

From a technology point of view, many financial services companies have deployed large scale (DLP) solutions in an effort to address this issue.  Traditional DLP solutions, while largely effective at the server level, fail to address a critical piece of the DLP puzzle - the user. User driven security solutions which actively engage and educate employees on how to manage data is needed to create a complete approach to preventing data loss.

Furthermore, information has to be shared quickly and effectively, or business suffers.  Financial Services companies need to be able to send emails, documents and customer information to their various stakeholders without worrying about the information getting into the wrong hands. The business should not be delayed because a DLP solution has quarantined or prevented communications.

Building a Secure Information Sharing Environment

Data leakage prevention efforts should be focused on building an end-to-end approach to handling sensitive documents and emails - an approach which includes users.  Users are the key to stemming the tide of data leakage.

While traditional DLP technology is an integral part of secure information sharing, the value of these systems should be extended through the addition of classification and labelling technology at the user level. This technology should be intuitive and easy to use so it speeds up the process of sharing information. DLP solutions alone are simply not sufficient in the current regulatory and security environment.  Systems need to be able to accurately identify risks and violations without disrupting productivity. Additionally, this approach provides security officers with greater visibility into whether or not leaks are happening, and provides them with the ability to address issues before then can turn into a public disaster.

Often, employee education concerning security policies and how to handle data has been done via procedural manuals, employee orientation or emails from the IT team.  Security policy on the whole has always been a challenge for financial institutions as busy employees simply may not be thinking about security on a day-to-day basis.  User driven security solutions actively engage users in the organization's fight against data leakage.

Information workers or content owners within the financial services industry deal with sensitive information every day and are best equipped to determine the level of sensitivity of the information being handled.  Engaging users in the process enables the organization to actively and consistently educate them about the organization's policies, while protecting the organization against inadvertent policy violations.

Summary

In the current regulatory and security climate, financial institutions need to step up their efforts around document leakage or risk the costs of recovering from such an incident.  Extending current investments in Data Leakage Prevention, though the addition of user driven security technology as well as  classification and labelling solutions, deliver a proven and practical way to create a secure information architecture, while increasing end user awareness and engagement in preventing leaks.

About

Tim Upton is Founder, President and CEO of TITUS, a company that provides security and compliance solutions for email and documents to large enterprises, military and government around the world. He has an extensive background in security and information protection best practices, and provides the overall vision for TITUS products and services.