The global media is abuzz with the news of the German government’s plan to buy allegedly stolen Swiss bank account data pertaining to German tax evaders. Media sources say that German authorities are willing to pay €2.5 million for data on about 1,500 account holders. The information could yield €200 million in lost tax revenue to the German government.

However, this will not go down well with Switzerland as it would weaken the state’s image as a banking haven. Also, the Swiss government fears that such an incident could become a business model for data thieves if they know that governments would be willing to pay for such data.

Such deals between governments and malicious individuals raise questions not only on consequential business ramifications, but also on complex political and legal issues, which may even lead to a confrontation between the Swiss and German governments.

However, there is a third issue that needs to be deeply looked into as well – IT security. How does such secretive information ever find its way out? Is there a crack in the banks’ security armor? Are employees becoming a threat to organizations?

A couple of years ago, organizations considered employees largely trustworthy. However, with Acts such as Sarbanes-Oxley, this trust seems to have diluted. This outlook has bolstered the demand for IT security tools.

Dr Prof. Sachar Paulus, IT security expert, states that a number of tools and technologies have been introduced in the security market that are especially centered around detecting or even preventing insider to harm the company. “For example, IT-GRC (Governance, Risk and Compliance) solutions have emerged that center around two important areas: the management of so-called internal controls that make sure fraud and espionage can be detected and the operational assurances of segregation of duty, which make sure people don’t have powerful authorization combinations.”

“There is a whole business that has emerged from ‘mistrusting the employee’. But on the other side, there will always be clever people…, so the question is whether all that technology is really helping attain the objective.”

Senior IT security consultant Mr Gregory Guglielmetti believes that data theft by greedy or disgruntled employees is a growing concern. However, it is only a symptom of a larger problem.

“For the last two decades we have increasingly digitalized all sorts of information, from intellectual property to client details. Quick access and reproduction of this information has increased productivity, but exposed companies to risks of noncompliance and IP theft. Accessibility to information has been fueled largely by technological innovation. This happened so fast that few have taken the time to think about the consequences in terms of IP and data security,” states Mr Guglielmetti.

“On top of this general trend we can recognize additional difficulties in protecting information. IT architectures have grown large, heterogeneous, and complex. It is increasingly difficult to answer even simple questions. Which systems manage customer data? Are backups encrypted? How do we securely dispose of non-necessary copies of data, for example, after a migration project?”

“In such chaotic conditions it is easy today for an employee to walk out of a company with critical information without leaving traces behind. Data Leakage Prevention (DLP) tries to address these problems from a preventive and detective aspect, by controlling access to critical information and keeping traces, for example, if the data was copied. DLP can support information protection initiatives. However it is not sufficient. Achieving a good level of information protection will require a combination of organizational and ethical initiatives, simplified IT architectures and management attention.”

Dr Heiner Kromer, CEO and Chairman, SECUDE AG, says that the bank’s management has the responsibility to prevent data loss. “Not only because of bank secrecy philosophy, but also because of real data protection laws, which require banks to keep safe customer data.”

“There are large fines leveled against the bank should it be proven they have not implemented available and effective tools. The real issue here is that banks have not spent the funds needed to implemented sufficient safeguards such as access and authorization controls, encryption, Identity management methods, device control, and user PC or laptop encryption. The users’ access to sensitive data must be controlled and the data must be kept safe. It is possible with today’s technology to do so, but it means the management must provide the funds and willpower to get it done.”

Banks and other financial organization often identify and single out specific security risks and take isolated measures without looking at the overall long-term risk management strategy. Tactical measures such as guards, gadgets, and security software are prudent, but without a holistic approach, companies remain at risk of intellectual property destruction.

A holistic approach ensures the organization’s long-term needs and helps develop a comprehensive strategy to deal with risks over the next five years and beyond.

News Information Source:  Bloomberg.com

Image above from Flickr – Pandora’s Box