The Key to Protecting Financial Data

Protecting financial data requires finding the right balance between security and access, says Tabb Group's Alex Tabb.

Security and accessibility are inversely proportional, which means that the more secure you make something, the more inaccessible it becomes — a maxim as true for office buildings, transit systems, banks and embassies as it is for networks and data. After all, with sufficient time, enough money and considerable effort, you can turn any building into Fort Knox, but by doing so you're probably going to make it nearly impossible for anyone to enter the building to accomplish anything of value. The same holds true for the industry's interconnected world of financial data.

The key in terms of security, whether it's physical or for data, is to find the right balance between protection and access. Go too far in one direction, and you hamstring an organization with overly complex, time-consuming routines that drive down efficiency and increase customer dissatisfaction; go too far the other way, and you leave yourself and your customers vulnerable to all sorts of threats.

Securing financial services data today has become a herculean task made more challenging by our never-ending drive to make things faster, more efficient, more integrated and more accessible. To complicate matters, not all data or organizations are created equal. For example, some institutions, such as large sell-side brokers, may have the capacity to build out internal resources that drive information security infrastructures while some smaller, more agile buy-side shops and private equity firms can't. But both types of firms are subject to the same internal and external threats that characterize today's burgeoning data security concerns.

Obviously, everyone in the global capital markets industry lives and dies by their data. Whether it's golden source data that sets pricing for fixed income assets, proprietary data that drives algo creation or customer data that contains personally identifiable information, all of it is important, and all of it is valuable.

Beyond the Usual Suspects

Just like a modern-day "whodunit" novel, the cast of characters outside your firm interested in getting their hands on your data is extensive — and growing. These characters are way beyond the big bad wolf, things that go bump in the night and Matthew Broderick's teenage hacker in "War Games."

Today, the list of ne'er-do-wells includes hackneyed villains, spies, disgruntled employees and careless personnel. Just over the past few years, we've seen a marked increase in the number of threats, attacks and careless mistakes that have targeted the industry. They're real, they're damaging and they need to be dealt with.

"Hactavists," like the wildly conspiratorial Anonymous, routinely target groups and organizations within the financial services industry. The latest example of this was reported in The Wall Street Journal: State-sponsored hackers and government-run intelligence agencies allegedly have been linked to numerous attacks against both high-tech and financial services industry leaders, including Google and Morgan Stanley. And international criminal syndicates have been targeting the industry for years, looking to harvest personally identifiable information for illegal purposes.

But from a security perspective, insiders represent the most challenging vulnerability to data security. For example, there's Bradley Manning, a nondescript intelligence analyst in the U.S. Army who used his authorized access and a thumb drive to download and illegally disseminate a half-million classified documents to WikiLeaks. Likewise, in a case closer to home, former programmer Sergey Aleynikov was convicted of stealing secret high-speed trading algo code. Although his conviction was recently overturned on technical grounds, the fact remains that Aleynikov, an insider, snagged the code.

Avoiding Lockdown

So what can be done? How can the financial services business ensure the safety and security of its most prized possession with success, without sacrificing the overall utility of what it's trying to protect?

Sure, locking down the data improves security, but it can also greatly decrease its utility. Similarly, increasing data surveillance — including active monitoring of access privileges, stronger user authentications and encryption — can increase data security. But these technologies, which are all effective, create complexity, inefficiency and increased overhead.

Remember, security and accessibility are inversely proportional.

Remember, too, that in this business, there are few indicators of a problem before it hits. Normally, data breaches are uncovered after the fact, and while your gut instinct may be to close down access and increase scrutiny, that will become increasingly difficult because the demands for data continue to grow.

While there's no single answer to solve your firm's data security challenge, three truths exist:

1. We need to rely on a balanced approach to data security that is grounded in both technological innovation and strong human resources practices.

2. We need access to our data.

3. We have to find a way of granting access so that the access we grant does not bite us in the backside in the future.

Alexander C. Tabb is the practice leader and managing director for Tabb Group's crisis and continuity services practice. An expert in international affairs, he joined Tabb Group in October 2004 from Kroll Inc., the international risk consulting company. [email protected]