Until recently, the idea that one of the company’s employees will commit betrayal and compromise sensitive data was practically inconceivable. The consensus was that threats to the company come from outside, not from within, and security measures were created accordingly. This changed dramatically when the world learned about Edward Snowden – a hitherto anonymous contractor that stole and leaked sensitive NSA files.
In addition to the Snowden affair, a revealing report by “Boscom” has also challenged the notion that the main threat to a company’s data comes from outside: from hackers, industrial spies and other competitors. This report reveals a disturbing fact: nearly eighty-five percent of any company’s former employees have left their place of business with sensitive data – if not with actual documents. While Snowden’s theft from the NSA was visible and newsworthy on a global level, the Boscom report shows how easy it is for employees everywhere to simply walk away with treasure troves of sensitive data.
In light of the above, it is easy to understand why companies have a hard time maintaining data security, especially when the biggest risk comes from their own employees, and when employee access to data is vital not only for their work, but to the company’s success in general. This is why the solution of restricting access to data, which is the intuitive response, is problematic – it inherently diminishes the company’s ability to function. So does this mean that companies are faced with a problem to which there is no solution?
Let’s look at this conundrum through a practical scenario that is relevant to our industry: A Forex brokerage. A brokerage has several departments, each of which needs access to certain data in order to adequately function. From sales representatives to members of the marketing team (for instance, email marketers), various aspects of client information must be visible to different people and only adequate software can ensure compartmentalization. It is when employees become privy to information that they should not see that the biggest breaches of security become possible – which is why the importance of compartmentalization cannot be stressed enough. It is the only way in which a brokerage can protect information from potential threats from within, without compromising productivity.
On a technical level, the two most important tools at a brokerage’s disposal are a good CRM and good encryption. The former allows management to determine who is privy to what data, and the latter prevents unauthorized persons from accessing information via non-company computers (“hackers”). Another benefit of good encryption is that it prevents rogue employees from sending confidential data, as it is useless without the proper decryption, which they do not have.
In order to best implement these countermeasures, it is important to first decide on a data security policy that will be supported and implemented by these means. This means that the technical measures are determined by the policy, not the policy by the available means. In addition to the technical measures employed, management must also clearly define the internal rules and regulations, such as prohibition of USB drives on company property, prohibition of logging on with a different employee’s username and more. Although this seems like stating the obvious, nothing is obvious when it comes to securing your data.
Edward Snowden made data vulnerability visible. After all, if the almighty NSA is vulnerable to theft, where do the rest of us stand? But in context of the private sector, adequate countermeasures significantly decrease a company’s vulnerability. With Snowden in mind, one must also keep in mind the identity of who is stealing information and their resources: national intelligence agencies have more resources than a competing business, and their operatives are willing to take greater risks to get information. People such as Snowden steal information for ideological reasons whereas business intelligence is driven by money and profits. Therefore, the countermeasures that are needed to deter theft in the private sector are also more affordable and accessible.
At the end of the day, we live in a world where our data is constantly and continuously at risk, however there are also many technological solutions and standard operating procedures that significantly reduce this risk. Remember that you need to be vigilant and ahead of potential threats, but also remember that even these threats, significant as they may be, are also manageable, and that maintaining data security does not need to come at the expense of productivity and profits.