Locking down sensitive and confidential data with user-driven security

Within the financial service sector, one of the biggest challenges is the threat of authorized users causing inadvertent data breaches. It seems that at least weekly we hear of a new data loss event caused by insiders. For example, in November 2010, UBS AG was dropped as an underwriter for the General Motors IPO role after a UBS analyst sent an email to clients discussing the initial public offering. A similar data breach occurred in 2006 involving Deutsche Bank and the Hertz IPO. Such breaches are costly, embarrassing and can have a major impact on the company’s reputation.

While the cost and damage to a company's reputation can be significant, there are also the regulatory repercussions to carefully consider.  Now, more than ever, financial services institutions are subject to multiple data protection policies including FACTA Red Flag Rule, Sarbanes-Oxley, SEC rule 17a-4, Rule 204-2, NASD rule 2210, PCI, ISO 27001 and Massachusetts 201 CMR.  Financial Services institutions must take proactive steps in order to ensure they are preventing data leakage at the user level, and automated approaches to Data Loss Prevention (DLP) are insufficient to ensuring regulatory requirements are met.

Understanding Why Breaches Happen

A number of factors contribute to the problem of data breaches by authorized users, including:

Large Volumes of Email

According to an Osterman research report, the average user sends 44 emails per day and receives 123 emails. In just one year, an organization of 1500 users will generate almost 70 million emails. With the addition of other communication methods such as instant messaging and social media, the potential for a data breach is immense.

Portable Devices

Technologies such as wireless internet access and inexpensive portable media have made it possible for employees to conduct business anytime, anywhere. Employees can easily transfer sensitive data to multi-gigabyte USB drives and DVDs, or access documents from laptops or home computers.

Too Much Information Access

Excessive access rights are another factor contributing to the problem. A Deloitte survey of top security executives at financial organizations found that that excessive access rights were the top problem identified in audits. With a workforce that is constantly changing due to outsourcing, mergers, and reorganizations, it is difficult to keep track of which users should have rights to which data. In most cases, organizations err on the side of giving too much access, because the alternative - too little access - impacts business productivity.

Innocent Mistakes

Today's employees are often rushed and distracted, with security being one of the last things on their minds. Unfortunately, this lack of awareness can easily result in data breaches that violate any number of regulations, including: SOX, GLBA, BASEL II, PCI DSS, and SEC disclosure rules for financial information and various privacy protection legislation such as S.B. 1386 in California and MASS 201 in Massachusetts.

Why Current Approaches to Data Prevention Aren't Enough

To address the challenge of insider security threats, financial services organizations rely primarily on automated data loss prevention solutions. While these technologies go a long way toward detecting and preventing the unauthorized use and transmission of confidential information, they often overlook the most important aspect of security: the user.   These solutions do not involve the user, resulting in critical security gaps which leave financial services organizations at risk of being in non-compliance with various regulations.

A primary shortcoming of the current approach to DLP is the reliance on automated content scanners which scan data on back-end servers to detect sensitive information.  While effective on some level, these solutions can result in a high rate of errors.  Furthermore, this approach doesn't involve the users on any level, so the user remains unaware that they are sending unauthorized information, missing a critical and important opportunity for education.  In addition, users are unable to remedy potential data leakage, and content may sit blocked indefinitely, resulting in delays or critical email or documents not being sent at all.

Adding User Driven Security to the Mix

With these factors in mind, a user-driven approach to security is a must for any organization focused on ensuring regulatory compliance and preventing data loss. By involving users in the process, organizations can dramatically lower their risk and increase the effectiveness of their security programs.  Ultimately, this proven best practice enables organizations to address regulatory considerations head-on and add a new layer of security to protect valuable email and documents.

The addition of users to the security strategy of financial services organizations provides organizations with higher levels of employee engagement on security issues, drives education, all while  improving  productivity.

Engaging users to actively identify sensitive content is extremely powerful as users know exactly what information is sensitive and how it should be handled. This knowledge is based on the user's familiarity with the subject matter, and is something that an automated solution simply cannot replicate. With this approach, the information author or owner clearly identifies that an email or document is confidential and needs to be handled appropriately

Educating users about security policy is one of the biggest challenges in any organization. The organization can hold regular employee training sessions, publish lengthy policy documents, and develop security experts within each business team - but ultimately, the end user is going to be making day-to-day security decisions on their own without consulting these resources. Ideally, users should be educated as they perform their daily activities, with frequent policy reminders that are non-intrusive and relevant to their current task. Because so much sensitive information is stored and shared through documents and email, it makes sense to educate users directly within the email and document applications that they use each day. A user driven security solution will do exactly that; it is integrated into the email and document applications to provide policy education before the users sends, saves, or prints the information.

In addition to warning users about policy violations, a user driven security solution enables users to remediate any problems themselves. Security violations can be highlighted within the email or document, so that users have an opportunity to fix the problem from within the application. This approach helps to prevent false positives and puts accountability on the user.

Summary

In the current regulatory climate, financial services organizations can no longer afford to take rely solely on automated DLP solutions. The addition of user-driven security solutions enables financial services organizations to engage content authors and editors to determine how data should be handled.  The end result is higher productivity, greater user accountability, and higher user awareness when handling sensitive data.