Treat Information Like Cash
By Kevin Hamel, Vice
President, Security Officer
Little time passes these days before we hear news of yet another breach of
customer data. The cyber security
industry is nearing $80 billion in
annual revenues, and pundits abound in
every major newspaper and Internet media
outlet in the land. Rick Wesson, CEO of
Support Intelligence, was recently
quoted in a New York Times opinion
piece: “If you’re looking for a digital
Pearl Harbor, we now have the Japanese
ships streaming toward us on the
Obviously, we’re frustrated. Bankers,
bank customers, credit card companies,
law enforcement, government - We want
personal information to be secure. We
spend, re-execute our risk assessment,
plan, and spend even more, and still the
data breaches continue. And even with
all the legislation, regulations, and
standards out there, we’re quickly
learning that compliance doesn’t always
equal security, and security doesn’t
always equal compliance.
Many wonder: ‘Why haven’t we
stopped these data breaches altogether?’ Perhaps
it’s because of how information has
traditionally been viewed. It is well documented
that organized crime, terrorist groups, and
hackers will often work together for financial
gain. Criminals have figured out that personal
information can be as good as cash.
So let’s explore that for a moment by looking at
how a financial institution handles cash.
Institutions have developed strict cash handling
procedures that have evolved over time.
Institutions know exactly how much cash is in
each teller drawer, branch safe, and ATM at all
times. This cash balance is known at all times
all the way up to the level of CEO.
Now consider personal information. Do we always
handle personal information in as controlled a
manner as cash? Do we keep close tabs on who has
access to this personal information? Do we know
who has accessed the personal data and what they
did with it? It would seem that most
organizations know far less about their
information assets than their cash. This is
likely due to the fact that, as little as 20
years ago, personal information was not viewed
Let’s explore how a “cash” approach to
information management might change our ability
to protect information assets.
Four key questions should be asked when
determining whether personal information is
1. Where is the data?
2. Who has access to the data?
3. How is the data protected at rest and in
4. What changed on our network?
Let’s explore these questions from a
“cash” point of view:
Where is the data?
Companies need to know where their customer
data is at all times. Computers make our lives
easy, but they also offer a myriad of places to
store data. Personal information can be stored
on this file server, or that one, on an
employees desktop PC, or even on a laptop that
leave the office on weekends or business trips.
Imagine doing that with cash! We know that the
more dispersed our assets are, the more
difficult they are to protect. Institutions know
that it’s easier to protect cash when it’s
stored in fewer locations. So why not take the
same approach with personal information? It will
be easier to protect the personal information
you maintain if it is stored in the fewest
Who has access to the data?
Companies need to know who has access to their
personal information. Many data breaches are
executed through the use of legitimate user IDs,
in some cases with access rights that are too
broad. Access to personal information should be
given only to those who truly need access based
on their job function. Again, looking at the
cash analogy, not everyone needs access to the
branch vault, right?
Gaining access to personal information should be
a controlled procedure that requires some level
of approval. And once access is granted, it
should be reviewed on a periodic basis. People
move from one job to another, and job functions
can change. It makes good business sense to
periodically validate that Joe Smith still needs
the access he was given two years ago.
How is the data protected at rest and in
We’re really talking about risk assessments
here. Every bank and retail store protects its
cash at rest and in transit through the use of
vaults, locked teller drawers, armored cars, and
dye packs. The FDIC’s Rules of Practice and
Procedure requires financial institutions to
document all reasonably foreseeable
vulnerabilities and all relevant controls for
cash. The Graham Leach Bliley Act requires
financial institutions to apply the same
principles to their information assets.
Companies that store customer information assets
need to document and assess the controls over
data, noting any gaps in security. This basic
step will enable you to determine the most
appropriate actions to reduce your level of
What changed on our network?
While this may be the most difficult task on
your security list, it remains the most
important. Reviewing the Hannaford, TJX and
possibly Heartland incidents, it appears that
the criminals used legitimate access rights to
install malware on these systems that enabled
them to capture customer information.
This is much like an individual granting
himself, or herself access to the branch vault
and using it to slowly siphon off cash. Your
company can protect itself by carefully
monitoring what has changed in the environment
to ensure that the activity is legitimate.
The overriding theme here is to be vigilant and
protective. Implementation of the cash model for
information management isn’t easy and grows in
complexity with the size of the organization.
Companies with many employees, multiple
locations, and complex networks may face a
seemingly insurmountable task.
Still, the question is not whether we can afford
to apply the banker’s “cash” model of oversight
to information management. The question ought to
be: Can we afford not to?