TL đánh giá khu vực rò rỉ data

InfoWatch Research Center
A Global Analysis of Corporate Data Leaks in the Financial Services Sector

January-June 2012
InfoWatch Research Center A Global Analysis of Corporate Data Leaks in the Financial Services Sector January June 2012
Contents
Executive Summary .................................................................................................. 3 Methodology ............................................................................................................. 4 Quick Facts ............................................................................................................... 5 Report Highlights ...................................................................................................... 5 Data Leaks: by Sector............................................................................................... 6 Data Leaks: Channels............................................................................................... 8 Data Leaks: Type of Data ......................................................................................... 9 Report Conclusion .................................................................................................. 10 About InfoWatch ..................................................................................................... 10
Executive Summary
InfoWatch Research Center presents its first bi-annual report on Data Leaks in the Financial Services Sector: January June 2012. This report provides an overall view of the general trends of data leakage in the financial services sector and some conclusions which provide a basis for predicting the evolution of data leakage in general based on these trends. Company reputations are extremely fragile in this era of social networking and immediate newsflashes on the Internet. All companies need to guard their reputations, and financial institutions are especially vulnerable to news about security breaches such news undermines the customer faith immediately. And yet the number of security breaches in the financial services industry grows every year. External attacks, online fraud, leaks of personal information: the media always reports these incidents in detail. The public does have a right to know, but at the same time this information does damage the reputation of the targeted bank/company. This report will provide a general view of the data leakage landscape in the financial service sector. Some of the conclusions will help not only banks, but all enterprises evaluate their information management and security architecture.
Methodology
The InfoWatch Research Center has collected data about data leaks since 2006. The database contains the data on all publicly reported incidents of malicious or negligent actions which led to data leaks in various financial institutions. However, this means that only about an estimated 1-5% of total data breach incidents are included since only a minimum of incidents are made public. Nevertheless, the stability of the basic data allows us to treat it as representative of trends in data leakage in general. The data is enough for us analyze the parameters (types of breaches, channels, intent and more), and the changes in their distribution over the years. As a matter of fact, the changes are predictable once we analyze the trends. Thus, we can infer that the trends occurring in publicly disclosed data leakage incidents accurately reflect the trends in data loss in general. The data about the direct financial impact and compromised information is all taken from publicly available sources. We purposefully avoid evaluating the total financial impact sustained by the targeted companies as a result of the breaches and the remedial efforts required. We do not wish to provide fodder for unsubstantiated speculation around specific numbers of indirect losses.
Quick Facts
Financial service providers lost over 2 billion USD in direct losses during the first half of 2012. Over 2 million records have been compromised, containing both financial and personal data. Up to 60% of the leaks studied affected financial information. Despite a drop in leaks affecting enterprises relative to the overall number of data leaks, the percentage of breaches in the financial services industry remains stable 5-7%. The financial services industry suffers more from malicious breaches than other segments 37% and 20% respectively. Interestingly enough, 41.7% of the leaks in the financial services segment occur via backup copies of data versus email, the Internet and portable data devices.
Report Highlights
The financial services industry is clearly using effective technologies to prevent leaks since there are more malicious incidents and less accidental breaches, as well as a decrease in breaches via popular channels such as email, the Internet and instant messenger programs. Nevertheless, the share of data loss incidents in the financial services industry remains stable within the overall count. Thus, it is clear that while the technology used today is successfully preventing accidental breaches, technology is not enough to prevent malicious data leakage. This is typical for situations when the technology is aimed only on controlling channels for data leakage, instead of monitoring the data itself. The financial services industry would improve their data leakage statistics by investing in continuing information security training for their staff; specifically improving IT security policies and procedures, safeguarding hard copies of documents, securing laptops etcetera. On the whole, the financial services sector is more responsible and mature than other sectors in terms of IT security. IT security experts in banks already understand that security is an on-going process, not a one-time project. They have moved from a general understanding of the issues, to deploying preventative measures and evaluating the relative costs and effectiveness of these measures. IT security staff in the financial services sector realize that security is not a question of achieving a given level of security once, i.e. deploying a software solution or a set of procedures. Instead, it is a continual search for new and better methods for improving IT security overall.
Data Leaks: by Sector

Data leaks in the financial services sector make up only 5.76% of total reported incidents. On the other hand, about a fifth, 18%, of data leaks in enterprises occurred in banks. Interestingly, the overall number of incidents in enterprises is decreasing, but the share of breaches in banks remains stable.
1-2Q 2012
Banks
23% 32%
Enterprises Governments Educational
18%
Enterprises
Banks
16% 29%
Unknown
82%
Fig. 1 Data Leakage in Various Sectors and Banks versus All Enterprises
Total Data Leaks 900 800 700 600 500 400 300 200 100 0 2006 2007 2008 2009 2010 2011 1/2 2012 Enterprises
Fig. 2. Decreases in Enterprise Data Leakage versus Total Data Leakage
Data Leaks: Intent

The number of malicious and accidental data leaks in the financial services industry differs significantly from the overall situation. In the financial services sector 68% of data leakage incidents are malicious versus a mere 20% of accidental breaches. This is clearly related to the fact that there is a general tendency for a decrease in accidental data leakage incidents from about 2007 through 2012. Our findings show that this decrease can be attributed to the use of information security systems and products which protect more successfully against accidental breaches. Moreover, the financial services sector is one of the more mature in the area of IT security and has deployed DLP solutions systematically. Therefore, it is important to note that DLP solutions have visibly decreased the number of accidental data leak incidents in the financial services industry, whereas other sectors have yet to achieve this level of IT security.
Total
Accidental Malicious Unknown Accidental
Banks
Malicious Unknown
20% 37%
12%
20%
43%
68%
Fig. 3. Accidental versus Malicious Data Leaks Overall and in Banks
Data Leaks: Channels

In addition to examining the relatively low numbers of accidental data leaks it is important to look at the channels for data leaks from banks. It is immediately clear that the usual popular channels, such as email and the Internet are missing. Obviously, banks do use email and the Internet, but they are also implementing various technological solutions to control data travelling via these channels.
Banks
All Sectors
4,8%
4,2% 29,2%
Unspecified 6,7% Mobile Devices 7,7% 23,7%
Paper Documents 41,7% 16,7% Other 8,3% Backup Drives
11,7% 10,5% 2,2% 11,7% 21,1%
Fig 4. Data Leak Channels: Banks versus All Sectors On the other hand, the high percent of leaks via less traditional channels such as paper and backups demonstrates that controlling electronic channels is not enough. It is necessary to monitor where and how data stored, how it moves around the organization and to assign confidentiality levels. This is where a content aware DLP solution is most useful, and it is clear that not all banks deploy content aware DLP solutions. The relatively high number of data leaks via backup drives might be, on the one hand, connected to a heightened interest in this data, or, on the other hand, due to a lack of proper policies and procedures for securing these devices.
Data Leaks: Type of Data

The type of data leaking from banks confirms once again that the financial services sector occupies a unique niche in terms of IT security. In other sectors, personal information makes up 87.8% of data leaked, whereas in the banking sector it is mostly financial information up to 60%. In fact, only 8% of the data leaked by banks is personal information.
Types of Data Lost

32% Financial Personal
Unknown 60% 8%
Fig 5. Breaches Identified by Type of Data Lost To be fair, it is often impossible to distinguish between personal and financial data. For instance, a breach of a database containing PII (personally identifiable information) and credit card details would be classified as both a data leak of personal and financial information. Nevertheless, there a correlation between the high percentages of malicious data leaks and the percentage of financial data being leaked does exist. Clearly, the financial data from banks is most interesting for both internal and external offenders. It is also clear that all such leaks create serious and long term negative publicity for the affected company.
Report Conclusion
The financial services industry serves as an example of how the data leakage landscape could change if all other companies were to be equally attentive in regards to IT security. The data illustrates which organizational and technological methods are effective and which need to be improved. It is clear that the differences in the data available for the financial services sector as compared to other sectors allows us to identify IT security in banks and other financial institutions as a separate class. This report studies the results of stricter regulations and mass deployment of IT security solutions in a single, clearly identifiable sector: Increased IT security in the financial services sector has lead to less accidental data leaks. Data leaks migrate to unsecured and uncontrolled channels. The loss of backup data is simple negligence and a lack of established policies. Once again, it is clear that organizational security is as necessary as IT security software. The InfoWatch Analytical Center has been tracking confidential data losses since 2006. During this time there has been a steady decrease in the number of enterprises affected: from 70% in 2010 to 32% in the first half of 2012. At the same time, the financial services sector has accounted for a steady 17-20% of all incidents throughout these years. The financial services sector has not proved to be more disciplined than other industries, though the percentage of accidental versus malicious incidents does vary significantly 20% versus 68% in the financial services industry as compared to 37% versus 43% in other industries. 90% of these incidents affected both personal and financial information. Moreover, the financial data included personal and financial information such as names, credit card and account numbers, as well as internal data such as information about individual debts, etc. Most direct losses are caused by negligent actions by employees, not fraud, since existing technological safeguards have achieved a certain level of effectiveness. Negligence includes improper disposal of paper documents, incorrectly designed and deployed security policies, negligent storage of backup data and so forth. As a result, regulators are pursuing offenders and fining banks for lack of compliance to existing legislation. The latest trends in IT, such as BYOD (bring your own device), constant access to social networks, virtualization and cloud-based services all present new challenges to IT security staff in all sectors. The financial services sector will need to pay particular attention to how confidential data is handled: new technologies and new policies are needed to prevent an overall increase in leaks. Nevertheless, we predict that the gap between accidental and malicious data breaches within the financial services sector will remain, and even grow, with a continuing increase in malicious breaches.
10
About InfoWatch
InfoWatch Group consists of four companies within the information security industry: InfoWatch Ltd. (data leakage prevention software), Kribrum Ltd. (social media monitoring and analysis aimed at online reputation management), EgoSecure GmbH (end-point security software), and Appercut (business application source code analysis). InfoWatch Company was founded in 2003 and by today has matured into the leader of the Russian data security market. It occupies over 33% of the Russian market of data leakage prevention (DLP) software and is rapidly expanding its presence in the international markets of Europe, Middle East and Asia. InfoWatch is headquartered in Moscow, Russia.
11

TL đánh giá khu vực rò rỉ data

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

TL đánh giá khu vực rò rỉ data

Hochgeladen von

Copyright:

Verfügbare Formate

InfoWatch Research Center

A Global Analysis of Corporate Data Leaks in the Financial Services Sector

Data Leaks: by Sector

Enterprises Governments Educational

Fig. 2. Decreases in Enterprise Data Leakage versus Total Data Leakage

Data Leaks: Intent

Fig. 3. Accidental versus Malicious Data Leaks Overall and in Banks

Data Leaks: Channels

Unspecified 6,7% Mobile Devices 7,7% 23,7%

Paper Documents 41,7% 16,7% Other 8,3% Backup Drives

11,7% 10,5% 2,2% 11,7% 21,1%

Data Leaks: Type of Data

Types of Data Lost

Das könnte Ihnen auch gefallen