Thursday, January 8, 2015

Musing on Corporate Data and trust!

The report in WSJ today "Puzzle Forms in Morgan Stanley Data Breach" made me reflect on corporate data. The article describes
“Morgan Stanley fired one of its financial advisers after it accused him of stealing account data on about 350,000 clients and posting some of that information for sale online, in potentially the largest data theft at a wealth-management firm.”
Many of us in the corporate world realize the value of “data” and information, especially corporate data. Securing and protecting the data is an entire industry in itself, and incidents like the recent Sony hacking saga highlight how vulnerable corporations are when it comes to protecting data and information.

The Morgan Stanley incident was clearly a case of an insider with access to data either acting with malicious intent or erring big time
“Robert Gottlieb, Mr. Marsh’s attorney, said his client had acknowledged obtaining the account information and confirmed that he was fired. But Mr. Gottlieb said Mr. Marsh didn’t post the data online, and wasn’t seeking to sell it.”
The article adds
“Already, the episode is having ramifications within Morgan Stanley: On Tuesday, people familiar with the matter said the firm has tightened access to its client database so that individual advisers no longer have access to such wide swaths of account data.”
Employees and Information workers need access to critical, sometimes sensitive corporate data to do their job. Athough the jury is still out on whether Mr. Marsh acted with malicious intent, it brings up a question information security experts, business and technology leaders continually grapple with: in an age of big data, where access to information, including corporate data is required to make information workers productive, how to add the right level of checks and balances to avoid such incidents!
Preventing workers from misusing data goes beyond codifying policies. Additional security, access control restrictions, monitoring data access etc comes with additional cost, effort and overhead that may be justified for some data types – PII, Social Security numbers etc. Additional requirements may also be dictated by industry or corporate requirements (account information of financial institution’s customers as in this example). However, additional restrictions may not be practical for all or “routine” information shared across a company.

At the end of the day, it comes down to a balancing act between:
  • Human intelligence: The ability to identify the odd rogue employee/contractor/third party who has access to your data and may be inclined to act with malicious intent and
  • Trust: The need to continue to trust those who legitimately need access to corporate data do their job
Not easy to balance the two!