Data Loss Case Study: How to Tackle the Email ThreatEmployee, Customer Education Key to DLP Solution's Success
Jones is Chief Technology Officer at Signal Financial Federal Credit Union, ($250 million in assets, 115 employees) based in Washington, D.C. His charge - protect the data of the credit union's 34,000 members.
Email is so ubiquitous -- essential to communications both within the institution and with the outside world, including customers. But it's also fraught with security threats such as data loss and its possible consequences. Jones wanted to close the "flood gates" that could lead to a data breach of customer information.
Nearly two years ago, Jones found his answer -- a technology hardware solution that would monitor all outgoing email, scanning it for confidential information such as customer account numbers and other sensitive data. The data loss prevention solution he found answered the initial problem, enforcing the credit union's written policies on data protection.
While there are other threats and risks that Jones and his IT team face at Signal Financial, the threat of a data leak via email is now reduced. After using this technology solution for nearly two years, Jones believes that data leakage prevention measures will soon be required by regulators, and sees his organization ahead of this trend. "When my examiners were in, they loved the solution," Jones says. "I definitely see this is something that will be mandated in next two years."
Tackling the DLP Challenge
When it came to data loss prevention (DLP), two things Jones sought were affordability and ease of use. Education of the credit union's 115 employees was ongoing on the issues of identity theft and social engineering, and data protection was a key element stressed. But Jones convinced his senior management that a technology solution was also needed.
"My take was, sure, we can tell our employees how they should be protecting the data and how things should go," Jones says, "(but) people are creatures of habit, and people have been sending emails back and forth before identity theft via the Internet became such a big concern.
"It's just a matter of time before someone mistakenly sends an email to the wrong person."
Jones knows this from first-hand experience. "Look at my name, Steve Jones -- it's a common name. It's a great example of how people can become confused and sends an email to the wrong person."
A mis-sent email can occur innocently enough. For example, when an employee goes to Outlook email and types in a name, they might mean to send to Steve Jones internally inside the institution, but instead click on a different Steve Jones outside of the institution. This employee could end up sending a spreadsheet with lots of account information to the wrong person. "While it was an accident, it is still a breach," Jones points out. "A breach is a breach no matter if it's an accident or done on purpose."
When Jones decided on one data loss prevention solution, he saw it taking out this human element to a data breach. With three locations to cover, Jones needed three boxes: one at the credit union's primary location, a second one at the disaster recovery site and the third at the credit union's co-location site. These boxes scanned outgoing content on all types of TCP/IP traffic, http, FTP, even https traffic and stopped any traffic that had pre-defined information within them, including customer account numbers and other sensitive information.
This DLP solution scans data in the email body and any attachments. "Having something like this in place by in large protects us from most everything that will happen to us in our environment," Jones says. "Sure, we might have someone who is savvy who could get something by. But with this solution we're eliminating the majority of accidental data breaches (The most common: 'Uh-oh, I just sent the email to the wrong recipient') or the malicious person who doesn't have an IT background and doesn't know how to circumvent systems."
His approach was to prepare for the worst, and as the credit union is planning to open two more branches in the future, Jones sees additional headcount as another reason this solution will help. "Anytime a new employee is added, the credit union's email increases."
Education is Key
With the rollout of the DLP solution came a new wave of employee education. At Signal Financial, as with many institutions, IT sometimes gets the bad reputation for reprimanding employees for doing something wrong. "Instead, I saw each one of these occurrences as a training opportunity," Jones says.
Approaching the employee in a positive way was his first step. Jones describes his approach as "Hey, just want to bring to your attention that this happened, and I gave a little bit of background about why we have these monitoring boxes in place." He found that end users understand a little bit more and realize that what the credit union is trying to do is a good thing. "They realize we're protecting the credit union, their job, and the customer's data."
The DLP solution also catches the unwitting customer who sends an email with sensitive account information in the body of the email. "We tell them in our educational information not to send account information by email, but some distracted or rushed members still include their account numbers or identifying information in an email," he says. The solution catches those emails and flags them as a violation. Thorough education of employees has reduced the incidence significantly, Jones says. "The only violations that we've found so far are the employees who respond to these emails and don't take out the sensitive information in the emails before they reply to them." Those kinds of replies made up the biggest numbers of cases Jones' team saw at first. Now, however the member service representatives are "getting really sharp in learning to take these points of information out of their replies."
Currently, the only violations Jones and his team find are when a credit union member sneaks it into the subject line of the email and the member service representative doesn't see it.
Bottom Line: Solution that Fits the Scale
Jones says he and his team of five in the IT department looked at many DLP solutions. "We chose the one that answered the needs for our sized credit union, and allowed us to set thresholds to either be very strict and stop everything, or just send a warning email to the administrator."
With a small staff - Jones has six IT people, including himself - Signal needed an easy-to-configure technology solution. "Even one of our auditors who also audits billion dollar credit unions tells me he marvels that we do the same work with a staff of six that the billion dollar credit union does with its staff of 60," Jones says. "That's what you call being organized and busy."
Looking ahead, Jones points to the emergence of data leakage as a major threat, as well as the evolving technological solutions to tackle the issue. Intrusion Detection Systems required some hard-sell when they first came out, he says. "Now you can't think of having a network setup without IDS and IPS. This is the same thing, except from a different angle -- you can stop your customers' information from leaving your network."