Following the whole WikiLeaks fiasco, we all thought firms would start tightening up their control of sensitive data, eliminating the chances of a cyber crook – or a former employee – capitalizing at your cost.
So are your data as safe as you think?
Earlier this week, data security firm Imperva released a survey indicating that most companies do not know the exact number or location of their sensitive files, or who has access to them.
Security breaches such as the WikiLeaks case have made 82 percent of the survey’s respondents slightly unsure of their company’s data security policies. Well more than half (65 percent) say they are unsure who has been granted access to the company’s sensitive files.
‘Major breaches like WikiLeaks happen because of a lack of effective file security controls,’ says Amichai Shulman, co-founder of Imperva. ‘With so many respondents unsure of how many sensitive files they have and how accessible they are, it indicates a general lack of control over sensitive data, which increases the likelihood of an insider breach.’
Indeed, concerns about the dreaded ‘insider breach’ have been evoking fear in the hearts and wallets of businesses. A few days ago, the SEC slammed three former brokerage executives for failing to protect confidential information about its customers from the now-defunct firm GunnAllen.
Last April GunnAllen’s president Frederick Kraus authorized the company’s national sales manager, David Levine, to transfer information on more than 16,000 accounts to his new company, which Levine joined after stepping down from GunnAllen.
It did not end there, however. With that permission, Levine downloaded names, asset values, addresses and account numbers to a thumb drive and passed the information along to the new company.
The case marks the first time the federal regulator has brought charges and levied financial penalties against individuals charged solely with violations of a rule that requires financial firms to protect confidential customer information from unauthorized release to unaffiliated third parties, according to the SEC.
And where was the chief compliance officer in all this? Well, he is being charged, too –for failing to ensure customer data were protected.
On the upside, there are ways to avoid data breaches. I had the opportunity to speak to PJ Di Giammarino, CEO of London-based think tank JWG and a former chief operating officer of IT at Barclays Capital, who believes it is now the sole responsibility of the board to make sure there are no insider breaches.
He points out that a leak can be initiated by a lack of clear communication: ‘It was a pretty common occurrence to have someone in risk tell us that IT owns risk data, and someone in IT saying finance owns the data, then finance would tell us risk owns the data… Clearly there is no one throat to choke.’
So what is your board doing to ensure your department’s data are protected? For more advice on this topic, look out for our May issue, which sheds light on the data risk management implications of AT&T’s marriage to T-Mobile.