In the Breach War, File Protection Is Just as Important as Data

Earlier this year, the Federal Deposit Insurance Corp. (FDIC) narrowly avoided disaster when sensitive information for 44,000 agency customers was stored without proper security measures…on a personal storage device. 

In what was coined an ‘inadvertent data breach,’ a former staffer left the agency with the device, and lucky for the FDIC, returned it without incident three days later. Not all financial services organizations or payment companies would fare so well. 

Mishandling of data isn’t the only issue, however. Sharing files with established business partners is not without risk. Just weeks ago, 77,000 accounts from insurance giant State Farm were compromised when collaboration with a trusted marketing agency went awry. Cybercriminals gained access to and leaked files from the partner DAC Group’s servers, including encrypted passwords, first and last names, geolocation, usernames and more. Because State Farm shared such sensitive documents with this collaborator without file security in place, tens of thousands of its own customers took the hit. 

It’s clear that information and data protection has never been more crucial. Adding pressure, evolving local and global standards to comply with industry and regulated data protection specifications, such as PCI-DSS and other guidance require due care with personal identifiable information (PII) and financial records.

In our connected world, sending files throughout the organization, as well as any external file sharing for collaboration is necessary but  introduces more dynamic data protection and privacy compliance issues that the majority of enterprises recognize. 

According to the 2015 State of File Collaboration Security report by Enterprise Management Associates, 75% of IT and infosec professionals at mid-tier enterprises expressed a high or very high level of concern about sensitive, regulated or confidential data leakage due to inappropriate file sharing or unauthorized access. Fully half said there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential, or regulated information. A whopping 84% had a moderate or total lack of confidence in their organization’s file security monitoring, reporting and policy enforcement capabilities.

Financial services or payments organizations may have content management, email security and mobile management in place, but these controls often don’t apply after files traverse the firewall to external networks, users and devices, which can expose sensitive and regulated financial and personally identifiable information.

An employee may exchange files securely with a known third-party consultant or vendor, like State Farm did,  but what prevents the recipient from inappropriately forwarding the file, making unauthorized modifications, storing it on a laptop or tablet that gets lost or stolen—or being breached like DAC Group? What happens to the files when employees or external recipients change roles or move onto another organization, like in the case of the FDIC? Even internally sensitive files are often accessed or shared where they may end up in the wrong hands.

So how can financial services firms ensure only authorized users access shared files, and at the same time, take advantage of data breach notification safe harbor by ensuring the encryption and controlled access to these files?

Emerging file security solutions aimed at reducing file mishandling and collaboration data leakage risks address this gap with strong file encryption and usage controls that, once applied, persist for the life of the file, including after it traverses to various networks, recipients and devices. 

Past information rights management (IRM) solutions were costly, often tied to specific applications or required specific infrastructure to function, and were cumbersome for IT and departmental users alike to use and manage. While these IRMs worked internally, they were especially challenging to enforce users outside the organization.

New technology solutions enable very granular controls over who can access files, under what conditions and what they can do with them. Users can easily apply required controls on file viewing, editing, saving, printing, and watermarking that persist for the life of the file. More so, the file owner can change the file security policy dynamically and even remotely delete files after they have been shared. These security policy controls are enforced wherever the file goes and every time the sensitive file is opened.

This new class of file collaboration security platforms also tracks and stores file activity, including applied controls, access attempts, policy violations and actual recipient usage, ensuring the organization meets regulatory compliance and, if needed, has the data for successful forensic investigations.

Many solutions are compatible with popular operating systems, applications, devices and consumer cloud services, including DropBox and Box, and multiple file formats such as Microsoft and Adobe so corporate management, human resources and counsel can safely distribute sensitive confidential files, ensuring they are accessed and used strictly according to company policy and regulatory constraints.

Scott Gordon is chief operating officer of FinalCode