Despite the new guidance, demand from C-level executives for multifactor authentication is still high. Because of problems in retail environments, for instance, requiring employees to use such tools may assuage data theft fears for some. As well, in the case of strengthening business partner access to systems, identity management and authentication is critical, said some SC Roundtable attendees. Cost and overhead do pose problems, though, as do concerns about viability of solutions since the RSA SecurID compromise earlier this year.
This incident, often touted as a prime example of an advanced persistent threat, or APT, in action, was successfully launched via a social engineering attack. Such tactics rely on the ignorance of users to initiate malicious executables that ultimately can lead to major brand damage. Security awareness training, then, should be a high priority, according to the FFIEC updates.
Roundtable attendees conceded that end-users and customers alike can muddle the daily data security challenges they face even more. In their fervor to do their jobs or to execute a quick transaction, employees and patrons are quick to undervalue security, they noted.
Another SC Roundtable participant – working for a large bank that asked for anonymity – said mobile security was proving exceptionally tricky given the variety of devices traders and other executives use. Because of Federal Communication Commission (FCC) regulations, which mandate that exchanges via these devices are monitored, the time and costs currently dedicated to this task is high. And, currently, he has found little help from security vendors to manage the heap of mobile tools.
As a result, he and his legal team were looking into transferring corporate liability of data loss or exposure to end-users who rejected the company's “locked down” devices. By having them sign documentation noting their wish to use their own devices for work, the goal is to move responsibility for compromised business data. “If the device is not owned by our company, then we don't monitor it,” he said.
Another attendee working for an investment firm, who also asked to remain anonymous, said such a practice likely would be slammed by regulators.
“Aside from the discovery issues of trying to produce that kind of information, I don't see the liability ever leaving.”
If company data is stolen, no matter through what channel, and if company employees or partners are involved, it will be the data owner's name that “is dragged through the press,” he said. “Our take so far is that the company's going to be responsible for it.”
Indeed, the monitoring and protection of confidential data, ultimately resulting in preventing its exfiltration, is yet another major employee-related concern for SC Roundtable participants.
“Since the financial crisis, I'm hearing a lot of stories about how people leave companies and take the data with them,” said the Roundtable participant reviewing legal options to address the loss of data through mobile devices.