Firms clearly have good cause to be concerned about external threats to their data, but many are overlooking the threat from within
Jens Puhle
March 16, 2016: With a seemingly never ending series of high profile hacks and data breaches filling the headlines over the last year, data security has never been a higher priority. A report from PwC found that 90 per cent of all large organisations have been hacked in the last 12 months, and market leaders in everything from telecom to retail have been the victims of major breaches targeting the financial data of their customers. It is financial organisations themselves that have the most to fear however, as their data represents the biggest potential payday for criminals.
Encapsulating this threat is the recent charging of three men for the biggest data theft in history from US financial institutions. The attack saw details of more than 83 million people stolen from 14 major financial organisations, including JPMorgan. The data was then, apparently, used by the trio to manipulate stock markets by sending false stock tips to stolen email addresses.
However, while firms clearly have good cause to be concerned about external threats to their data, many are overlooking the threat from within. 81 per cent of companies reporting a breach told PwC that their own staff were involved in causing it.
Human error
Most of these incidents tend to be caused by simple human error, with the Information Commissioner’s Office (ICO) finding that emailing the wrong recipient was one of the most common ways for staff to leak sensitive data. While accidents are always possible, organisations need to ensure they have safeguards in place to make it harder for mistakes to happen, as well as training to raise awareness of the consequences of a leak.
Accidental leaks can be effectively prevented by limited access to sensitive data in the first place. It’s very common for new staff to be given much wider access to data than they need to, and we often see firms setting up new users as administrators with full access because it’s faster and easier.
Best practice should always be for all new users to only be given as much access as required for their roles, as the fewer people that can access sensitive data, the less likely it is to be accidentally leaked.
Because of the way the native Windows Active Directory system works, a lot of system administrators find proper due diligence in managing access management for every new starter to be too time-consuming, especially if they have large numbers of staff joining at once due to a merger or large project. Surprisingly, large companies still have little idea about what information their staff can access, and rarely rescind access once granted, even when someone has left the organisation.
Malicious threats
This lack of visibility is even more dangerous when it comes to the risk of malicious leaks, which can cause significant financial and reputational damage. A strong example is the recent incident of an internal auditor for the supermarket chain Morrisons leaking the bank, salary and National Insurance data of 100,000 staff online, leading to a class action lawsuit from those affected. This was done as an act of revenge against the chain, but even more dangerous are instances of insiders purposefully stealing high value data.
A powerful example in finance came in January 2015 when an employee at Morgan Stanley stole the data of more than 730,000 customers, including 350,000 wealth managers. The insider, who was later fired and then arrested for the breach, copied addresses, account numbers, investment information and other data to his home computer while apparently in talks with competitors for a job. Details of 900 customers ended up being posted online, although Morgan Stanley asserts that none lost money.
Not all customers – or organisations – get off so lightly, however. Insider data theft cost Bank of America more than $10m in 2011, after an employee passed on customer records to a fraud ring. The gang used the data to commit identify theft against hundreds of people, costing one victim as much as $20,000.
Insider leaks such as these are particularly difficult to guard against because the perpetrator is usually legitimately cleared for access as part of their job role. To address this challenge, firms should ensure they have systems in place that will alert them whenever certain files or folders are accessed. In addition, more advanced access rights management systems can send real time alerts, specifically for when information is accessed outside of usual parameters, preventing data from being copied unobserved from remote locations out of office hours.
Regulatory pressure
The extremely high value of customer financial data means the financial sector is particularly at risk from both external hackers and internal threats, and they cannot afford to take the threat lightly. Alongside the threat of data leaks, strong access rights management is also a vital factor in complying with the PCI Data Security Standard version 3.0/3.1 (PCI DSS).
The standard applies to all organisations processing, storing or transmitting cardholder data, and covers both external security and internal practices. Implementing a strong access rights management policy is one of the main objectives of the standard, with compliance dependent on the ability to restrict access to cardholder data on a need-to-know basis and assigning a unique ID to each person with computer access. Tracking and monitoring all access to network resources is also required, along with regular testing for security processes.
With the threat of external and internal breaches alongside increasingly strict regulation lined up against them, the pressure on financial organisations to get their access rights management right is enormous. It is down to them to ensure they have the technology and processes in place to tightly control how data is accessed to make accidental and intentional data leaks as difficult as possible. They must both lock down who is able to access customer records and key data and gain visibility of data that is accessed at unusual times or places.
Protecting the information at the heart of the organisation is not only a safeguard against embarrassing and costly leaks – it should be seen as an essential business practice that touches on every aspect of the operation.
Jens Puhle is UK Managing Director of access rights management specialist 8MAN