As if maintaining data security isn't tricky enough, now comes a wave of mergers that makes protecting data all the more difficult. It's hard to imagine a more likely time for security holes to open up than when two banks, rife with legacy systems, custom patches and unique protocols, try to mesh it all together. To make matters worse, mergers usually result in layoffs, and disgruntled, soon-to-be ex-employees will be tempted to take advantage of any security lapse.
Mike Lloyd, chief scientist at RedSeal Systems, a company that develops proactive security risk management software, refers to these as "toxic networks." If an acquired company has a different approach to security "you could be taking on a problem every bit as bad as toxic assets...If you attach to a network that's unacceptably weak, now you're weak." Each network needs to be reconstructed so IT personnel can have a complete view of all the networks to locate the best pathways to connect the networks, while securing assets and regulating who has access to which assets.
As risky and intensive as linking networks is, Lloyd and others note that IT personnel are under incredible pressure to "parachute in" and act fast. They must assess the risk, do it quickly, often examining an unfamiliar structure.
As for help from the acquired company's IT group, don't count on it. "They may not know, and they might not be willing to help you," Lloyd says, recommending IT personnel come up with standards for risk and IT practices, automate them, and then enforce them.
Fortunately, there are some standards to fall back on. The Payment Card Industry Data Security Standard (PCI DSS) and the National Institute of Standards and Technology (NIST) are helpful standards. It's only through coming up with a playbook and codifying it that IT mangers can win the trust of upper management. Senior executives will want to push forward hard with a merger integration, Lloyd says, determined to reap the benefits of consolidation as quickly as possible. Too often, he says, a situation arises where "upper management is standing on the gas pedal and the security team is standing on the brake."
Glen Shrzas, vp of technology at Altura Credit Union in Riverside, CA, says he put in place a security system from Websense in just two days, a tool that could come in handy if an acquisition were in the offing. For about the same licensing fee as simple anti-virus software, Shrzas can fingerprint certain documents to make sure they do not leave the institution. He can also design special proactive reviews of sensitive information, such as any time a person's name and Social Security number are linked in an outgoing document, or any document with 10 or more credit card numbers.
Most of the time, data leakage is an innocent mistake, says David Redmond, a senior director at Websense, and more visible data loss protection (DLP) rules serve as a gentle reminder. But in tumultuous times, when people's jobs are lost or are in jeopardy, more people are tempted to circumvent the rules to take valuable data.
Gartner security analyst Avivah Litan says that banking clients have seen a big increase in fraud, much of it related to stolen financial data, and she says there's a direct link to the economic downturn and the loss of jobs. The situation is magnified when jobs are lost during a merger or acquisition. "In the case of M&As, a main goal is to cut costs across the two companies and some companies don't have the most secure exit strategies [for employees]. User provisioning systems that manage accounts are not well developed. It can take weeks to delete employees and remove privileges. It's the perfect opportunity for disgruntled employees worried about the next paycheck to steal information and sell it on the black market, and it's very easy to sell. All you need is a few Google searches to find out where," Litan says.
Even when the acquisition is a sudden firesale, Redmond says that companies can react quickly to secure the data. It's a myth, he says, that you must know where the data is in the organization to start protecting it. When you talk to CIOs, the three areas they are most worried about are PCI, HIPPA, and IP. "That's what causes them heartburn," Redmond says. In a day it's possible to set up monitoring to see how employees are using that data, "you don't have to discover the data first."
After you begin monitoring for the movement of sensitive data, it's then wise to begin the longer-term project of scanning the infrastructure to learn where in the organization that sensitive data is stored; that way companies can better manage the data by putting controls in place: block USB devices, encrypt information, delete information from laptops. You need to look across all networks, business communication channels and USB devices. Remember, Redmond says, "data loss protection is as much about securing data within an organization as it is from outside the organization.