By Thomas Schmidt
Why do financial services institutions need to make data leakage a top concern? Some recent history can help answer that question:
- The FBI has lost 160 laptop computers in less than four years, according to a recent report by the inspector general for the Department of Justice. In many cases, the FBI didn't know what was on the missing computers. Ten of the computers had confidential or sensitive data on their hard drives, according to the report, including one that included software for creating FBI identification badges.
- Discount retailer TJX recently acknowledged that its hacking investigation has uncovered more extensive exposure of credit and debit card data than it previously believed. Information on millions of TJX customers may have been exposed. In March, a major TJX shareholder announced it is suing TJX to access records showing how the company handled data security.
Company employees making mistakes account for 75% of all data losses, according to a new study by the IT Policy Compliance Group. Malicious activity, such as Internet-based threats, attacks, and hacks, accounts for only 20%.
As security researchers have repeatedly observed, end users constitute the biggest risk to enterprise security. Unlike applications, which can be patched, or systems, which can be hardened against threats, end users -- whether through naivet‚, carelessness, or malicious intent -- continue to expose critical IT resources to serious security threats.
And that exposure is taking a toll.
According to the IT Policy Compliance Group study, companies that report data breaches on average experience an 8% loss of revenue and a similar loss of customers who are worried about their personal data. Added to these losses are the costs associated with notifying customers whose data has been lost and with restoring the data. That adds up to $100 per lost or stolen customer record, the study found.
But the costs don't end there. As security breaches continue to make the headlines, calls for additional legislative relief are getting louder and louder. Under the proposed Data Security Act of 2006, for example, all entities that handle sensitive information would be subject to a uniform national standard for data protection and breach notification that will be implemented and enforced by regulators.
For the financial services industry in particular, the consequences of data leakage can be severe. After all, organizations that store and manage personal identification information must take care to ensure the confidentiality and integrity of such data. Any compromise that results in the leakage of personal identity information could result in a loss of public confidence, legal liability and costly litigation.
This article explores the evolving nature of data leakage, and the steps the financial services industry can take to halt it.
Management challenges
This year, for the first time, the researchers who produce the Internet Security Threat Report assessed data breaches that exposed information that could lead to identity theft. According to the report:
"The primary cause of data breaches that could facilitate identity theft was theft or loss of a computer or other medium on which the data was stored or transmitted, such as a USB key or a backup disk. These made up 54% of all identity theft-related data breaches during this period. In many cases, computers that were lost or stolen were laptop computers. The second most common cause of data breaches that could lead to identity theft during this period was insecure policy, which made up 28% of all incidents. Together, theft and loss along with insecure policy made up 82% of all data breaches in the second half of 2006."
For IT managers, asset management has long been a top systems management pain point. Every day they face the challenge of managing proliferating laptops, desktops and new mobile devices. This diverse environment may produce great business results, but it makes a manager's job that much harder, too.
At the same time, one of the thornier challenges organizations face today involves compliance with a steadily increasing number of industry guidelines and federal regulations. Every industry faces its own unique IT risks, requiring unique solutions. For the financial services industry, there are regulations for public companies (Sarbanes-Oxley) as well as unique vertical regulations (Payment Card Industry, or PCI), not to mention direct financial losses stemming from theft or fraud.
Moreover, it's often the case that an organization is subject to more than one regulation. According to a 2006 survey conducted by The Security Compliance Web site, 70% of the companies surveyed reported being subject to multiple regulatory compliance mandates.
With so many organizations struggling to meet audits that must satisfy multiple requirements, it's no surprise that large amounts of IT resources are being spent to demonstrate IT compliance. The Security Compliance Web site has estimated that, on average, 34% of IT resources are being spent on meeting multiple regulatory compliance demands. Why such a high percentage? In many cases, manual or ad hoc processes are woven through the entire IT compliance process. According to one researcher, companies that have invested in "one-off" solutions for each regulatory challenge they face will spend 10 times more on IT solutions for compliance than those organizations that develop a single solution to manage multiple regulatory requirements.
Management solutions
While there is no single product that can address all of these disparate and often competing requirements, there are solutions available today that can help organizations streamline their asset management tasks and effectively govern their compliance efforts -- and, thus, directly tackle the risk of data leakage.
The first step is to understand where you have risk exposure today.
Financial services everywhere are attempting to cost-effectively comply with mandates such as PCI. But achieving good governance and successfully addressing this problem means having a comprehensive view, one that ranges from understanding regulatory requirements to performing technical assessments.
Conclusion
According to the latest Internet Security Threat Report, in the second half of 2006, more than half of all identity theft-related data breaches could be traced back to the theft or loss of a computer or other removable storage device. What's more, inadequate security policies caused 28% of data breaches that resulted in identity fraud.
The threat environment continues to evolve. As one observer has put it, today it's not just about keeping threats out of an organization, but ensuring that confidential corporate data stays inside the organization. Safeguarding this sensitive information is essential to the health of every financial institution.
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.