Privacy. Confidentiality. Trust.
These are central to our profession and very close to all our hearts.
We have just witnessed a massive breach of client privacy from a firm people trusted to keep their data private. What happened? How could this have been prevented? What must you do to prevent this from happening to you?
Let's look closer at what happened.
There are some strange things about this leak. Firstly, the sheer size. It is 2.6 Terabytes of data. That's a lot of data. Even given document scans, graphics and pictures.
Put another way, 2.6 TB is about 3,600 CDs. About 253,000 minutes of music. If that leak was music on CDs, you would have 4,200 hours of continuous playtime in your car on your way to work. 175 days of continuous Sinatra, Beatles, Mozart. Or perhaps Metallica.
It takes some doing, even these days, to shift 2.6 TB. It requires resources. You don't shift this much data by plugging in a USB stick or two. The breach is being touted as an external hack - "Rogue" hackers.
But those responsible have still not been identified. It has been a couple of months now and still no-one has come forward. Odd. A hacker team who pulled this off would be engaging in some serious bragging on the darkweb forums. This is serious street-cred. A rogue hack? Unlikely, it is just not credible.
Another strange feature: so far, hardly any Americans have been in the spotlight. The odd one or two, but no-one prominent. Odd that. Is it plausible that Mossack Fonseca had no clients from the American mainland? I would not want to suggest the NSA, FBI, CIA, IRS, DOJ, Dept. of homeland security or some other agency had anything to do with this.
As we know, friends don't spy on friends, but it is odd. It is possible, perhaps, the Americans are being held back at the request of the U.S. Government. Given their wealth, some of the people in the Mossack files may be politically connected. But this is pure conjecture.
Preventing unforgivable sloppiness
Onwards. How could this have been prevented? What must you do? What should you make sure is in place?
All the major leaks of recent years have several things in common, three of these are:
First, encryption. Encrypt data on servers, user machines, laptops and mobile devices, this is basic. If you are running an enterprise with client sensitive data and you are not encrypting the data on your servers, you need to have a Trump style "Fix it or you're fired" discussion with your head of IT or, if you outsource, your IT service provider.
At this stage of the game, this kind of sloppiness is not forgivable.
Second, data transfers. These need to be analysed in real time. Communications and transfers of data are logged. Your IT system creates log files. Are these logs analysed on a daily basis for unusual activity?
Usually, after a breach has occurred and the post-mortem conducted, nine times out of ten, the log files clearly show unusual activity. Plus, the audit of the log files shows when, where and what data was lost. Your IT system is monitoring activity but incapable of recognising and flagging unusual activity when it happens. Therefore, software that monitors and analyses log files in real time is essential.
Third, user behavior must be monitored and patterned. Yes, this has shades of big brother and is unpleasant. In the real world however it is a fact that some 90% of data security breaches involve an insider. Often through social engineering. Employees have a right to privacy in many areas at work when they surf the net, write emails to their family on Gmail, post on Facebook and shop on eBay and Amazon.
Employees log on to private spaces on company machines, it is reality, accept it. One solution is to give them standalone laptops or tablets, another is to put business critical applications on standalone machines, either virtual or physical. Software monitoring user behavior must be able to model and recognise normal behaviour and flag unusual behaviour while using business applications.
For example, say a user normally accesses five or six clients per day and suddenly he comes in and is accessing 30 to 40 client files in a day. This is unusual that must be flagged.
Putting security first
Data transfers to USB devices must be monitored, also basic. Funnily enough, Windows™ does not provide this functionality. No, Windows really is not capable of logging the simple copy - paste of data to a USB stick. One wonders why not. There is however readily available software on the market that does, install it.
The software you install should have the capability to automatically slow down what it perceives as "unusual" data transfers. If it detects what it thinks unusual activity, it should slow the transfer, while at the same time notifying security. This gives security time to act without arousing suspicion in the case of a malicious transfer. On detection of something really strange, the software should also have the capability to stop the transfer in its tracks, requiring the user to contact the security officer to authorise the transfer.
This is easy to do. Moreover, it is not interfering with the user's work, because they are doing something highly unusual. If they do not have authority to do what they are trying to do, they need to apply for and get that authority if necessary.
Coming out of one of our founders' experience as a consultant combined with many years of working in private wealth management, our company Envisage will be offering data security services.
Envisage partners on the technical side partner with a specialised data security firm; Secure Data Innovations AG (SDI). SDI have been providing security solutions for over 20 years, with some half the worlds airlines, major credit card companies, banks and government agencies as customers, using their software and systems, SDI has pretty much seen it all.
Technology needs to be applied intelligently, all too often we see expensive IT solutions implemented that are basically useless in practice.
The price tag of this hack in the market is around 30,000 USD. Unfortunately, as human beings, we perceive problems only as and when they occur, giving very little weight to prevention. Because we attach no value to what we do not see, a problem is only a problem and a solution only has value when something actually goes wrong. This is too late.
The perils of the Automatic Exchange of Information
CEOs, COOs and Compliance officers need to talk to their heads of IT and outsourcing partners about data security.
Two strategies are required; one for data 'at-rest' on servers and user devices and one for data 'in-motion' during transmission. With Automatic Information Exchange (FATCA and the CRS), the problem will grow dramatically over the next few years as increasingly large volumes of data begin to be passed between and among financial institutions and government agencies.
There are really two groups of professionals set to profit enormously from all this: lawyers and professional criminals. Both of whom are currently salivating at the prospect of the business opportunities AIA will bring.
For both, AIA is a gift from heaven and will supercharge their respective profit and losses for the coming decade or more. For you, the involvement of either usually means lots of time, trouble and cost to your business.
Partnerships with specialist providers need to be established to implement solutions, process and procedural, to address this latest challenge in an ever-changing and increasingly complex world. Do not be the one to lose your clients' private data.
Martin Straub is the founder and managing partner of Zurich-based Envisage Wealth Management. He has over 15 years experience in financial services working in both private and investment banking with a variety of institutions.