The financial vertical: How institutions protect data – from unaware employees and outsiders

August 8, 2007

The constant stream of data flowing in and out is not the only challenge facing security pros, particularly those working in the financial vertical where data must be stored and easily retrievable.

Atlanta Postal Credit Union, which is based in Atlanta and serves employees and retirees of the U.S. Postal Service and their family members, had been looking to protect its data-at-rest for several years before it came across a solution from Scentric. Scentric Destiny, the flagship product of the Alpharetta, Ga.-based provider of universal data classification solutions, catalogs, classifies and controls all types of data stored in the enterprise. It gives Atlanta Postal Credit Union the ability to control and to segment information, says Terrence Griffin, vice president for Atlanta Postal Credit Union's information services.

Filling gaps

Griffin admits that there were holes in the company's internal data security and that they didn't always know where all their information was. While policies were in place to protect against data leaving the premises on hard drives or other mobile media, there were no tools in place to enforce compliance and to keep the data safe from prying eyes.

Griffin says that employees had access to all the data and even could download reports and create Excel spreadsheets. To secure this data at rest, Griffin and his team enlisted an OEM version of the Scentric Destiny data classification application to look at data on computers and laptops to analyze what should and shouldn't be there. The Scentric solution cleans the personal financial information (PFI) in its system — an essential process, says Griffin, after he and his team found that applications within the enterprise were caching information.

"Once you classify data, you can then go in and, in effect, shred data on the disk drive," he says. "It's a great product, especially since financial institutions are a big target. Credit unions are where the money is," he says, adding that if TJX Companies had a product like this in place, it would have been able to detect that someone was accessing and removing proprietary data. (TJX, the parent company of T.J. Maxx, Marshall's, HomeGoods, and other retailers, suffered a data breach loss of more than 45 million credit and debit card numbers that were stolen from its IT systems over an 18-month period, costing the company $17 million to this point, according to its latest quarterly earnings statements.)

After a beta trial, Atlanta Postal Credit Union gradually has rolled out further implementations over the past six months. Eventually, the company intends to migrate all of its information from desktops to a SAN [storage area network] environment.

The process is also helpful with compliance issues. "We can build a report that shows compliance, which we can then show auditors," says Griffin. In his case, that means the Georgia Department of Banking on the state level, as well as the National Credit Union Association on the federal level.

Avoid negative publicity

Another company working to protect data at rest is PGP Corporation, which provides data-centric solutions for financial institutions to protect their non-public sensitive data wherever it exists.

Mark Campbell, product marketing manager of the Palo Alto, Calif.-based company, says the impact of losing sensitive data via theft or loss has become a major issue affecting financial institutions.

"This fear is fueled by numerous recent data breaches where financial organizations have been obliged to issue public notifications to affected individuals," says Campbell. "Many of these cases involved missing laptops and disk drives or backup tapes that simply fell off the back of the truck."

And what's most important, he says, is not whether sensitive data is maliciously targeted or unintentionally lost due to casual theft or carelessness. The fact that data was lost automatically triggers legal breach notification requirements in the case of unprotected information, says Campbell.

Such incidents also raise doubt about an organization's ability to protect sensitive customer or corporate information and intellectual property, he adds.

"The resulting negative publicity can be highly detrimental to both an organization's bottom line as well as to its brand."

PGP Corporation offers data security applications that protect endpoints, electronic communications and backup media. With PGP encryption solutions, says Campbell, financial institutions can easily address data security compliance requirements with out-of-box products.

"Enterprises shouldn't have to learn the hard way when it comes to protecting data," says Jeff Hornung, president and CEO of Scentric. "Most customers simply are not aware of how much sensitive information is lying around unprotected in their enterprise network."

prestitial ad