Financial services agencies are finding that data loss prevention is taking on a new urgency. Data leaks of a financial nature are receiving increased media coverage and costing financial institutions significantly with fines, lost business, damage to reputation and even regulatory sanctions. A number of major IPOs have been lost in recent months due to inadvertent disclosure of sensitive data: UBS losing the General Motors IPO; Royal Bank of Scotland losing the Nielsen Holdings IPO — both the result of someone in the organization sending an innocent email.
These examples involve accidental leaks caused by users who were simply trying to do their work in a fast-paced, rapidly changing environment. Financial institutions work hard to maintain their business agility, but they are also heavily regulated. As such they need to consider carefully what type of information is shared and with who, as well as the timing with which it is shared. This is a major challenge when you consider the complexity of the problem, an ever-changing workforce with different skills and attitudes toward security, and the huge volumes of data generated with diverse data protection needs. Customers expect their financial institutions to protect their data and ensure it’s not shared inappropriately, even when the leak is accidental.
Types of Data and Regulations in Financial Services There is some overlap between various types of organizations within the financial services industry when it comes to handling sensitive data, but each type of firm also has their own unique challenges with regards to protecting data. Concerns about leaking personally identifiable information (PII), for example, are important across this spectrum of companies. However, for banking institutions, especially smaller banks, it is common to exchange customer data like account numbers and PIN numbers via email. Additionally, banking personnel deal with mortgage documents containing large amounts of personal financial details, which need to be shared, reviewed and approved by various people.
The timing with which sensitive data is released is also very important. The U.S. Securities and Exchange Commission’s ‘Fair Disclosure Rules’ mandate that all publicly traded companies must disclose material information to all investors at the same time. Ensuring that this information is not inadvertently disclosed to selective investors before it is disclosed to the public is critical to ensuring that securities firms are not fined or sanctioned by the SEC, and that future business opportunity is not missed due to any damage to reputation.
Protecting Customer Data, Following Regulations and Maintaining Business Agility Most organizations place high expectations on the IT department to prevent these leaks. Yet there is only so much that IT can achieve on their own. To address the challenge of accidental data loss, many companies are deploying data loss prevention (DLP) solutions. Unfortunately, these deployments can quickly become multi-year projects as IT administrators attempt to translate the business process into automated rules for every data loss scenario. It is also impossible to accurately identify every type of sensitive piece of data, just as it is impossible to predict the behavior of every type of user.
This is why it is critical to make the organization’s end users the first line of defense in any data loss prevention strategy.
Involving the User: Alert, Remediate, Educate Involving the end-user in the data loss prevention strategy means having them actively involved in preventing data leaks and continually learning how to handle sensitive data. This can be accomplished by:
Users will make mistakes, but using appropriate tools on the desktop can alert them while they work to the fact that they are breaking policy and how to quickly remedy the issue — allowing them to continue working with the confidence that they’re following appropriate procedures. Ultimately, a workforce that is well educated on what data is sensitive and how to handle sensitive data is the best first line of defense to protecting your business. These aspects of a user-driven data loss prevention strategy will help to ensure that the business is compliant and that you maintain the trust of customers, while your business continues to run efficiently.
Tim Upton is Founder, President and CEO of TITUS, a company that provides security and compliance solutions for email and documents to large enterprises around the world. He has an extensive background in security and information protection best practices, and provides the overall vision for TITUS products and services.