Protecting Bank Data from WikiLeaks

Even though much of the focus is on diplomacy, WikiLeaks is far more than just a phenomenon for government. Banks and other companies are clearly in WikiLeaks’ sights, and they expect that the impact of disclosures could be equally a devastating. As WikiLeaks founder Julian Assange told Forbes, “in the struggle between open and honest companies and dishonest and closed companies, we’re creating a tremendous reputational tax on the unethical companies.”

One of the potential next targets is the banking industry. WikiLeaks told The Times in December that it has masses of information from a major US bank and “if its management is [not] operating in a responsive way there will be resignations.” Bank of America is reportedly the target, and the New York Times reported that the bank has a team of up to 20 people preparing to manage a potential crisis.

What types of information could be damaging? Banking consultant Bert Ely told the Charlotte Observer that, for example, “WikiLeaks could reveal information on a range of issues, from executives’ actions during the Merrill Lynch acquisition to who is using the company jet. One of the more damaging disclosures would be evidence of securities law violations that can trigger lawsuits from shareholders and bring out the class-action bar.” Other analysts note that evidence of criminal behaviour or a conspiracy to defraud could likely have a significant impact.

The likelihood of leaks, even in Asia, could be higher than expected. Staff are already sharing unexpected information about their personal lives, and sharing information about their company could be equally easy. As CIO magazine noted, since employees’ “consumer experience and work experience is massive and growing, people are pushing for new ways to communicate, collaborate, and share information. They will go outside corporate networks to set up their own social networks for collaborating with each other,” or use “consumer web services for email, instant messaging, shipping files to each other, sharing documents, and storage.” Disclosure of information about sensitive people with an account at a bank, potential corruption in landing contracts or rogue actions like those in Singapore that led to the collapse of Barings more than a decade ago could be devastating.

The key, then, is to figure out how to protect data from being leaked.

One part of the solution is employee education. Companies can develop strong internal reporting systems about improper behaviour and an effective whistleblower programme so employees don’t feel they need to go to WikiLeaks or a similar organisation in the first place. Planning an effective crisis media strategy in advance is also important.

A second is compliance processes. As CIO Magazine also observed, companies are not only “concerned about trade secrets and confidential information, they must operate in a highly regulated world. It’s up to the company to put the right security and compliance processes in place to ensure that it does not run afoul of regulations or compromise its sensitive information.”

And another facet is technology. Security managers can start by classifying data according to how sensitive it is and restrict access on a need-to-know basis. Then, McAfee’s John Dasher says, solutions such as Data Loss Prevention (DLP) technology “can block attempted USB thumb drive use, or send up alarm flares when an otherwise ‘normal,’ authorised user suddenly copies hundreds of megabytes of sensitive information to their laptop in preparation for a hasty defection to a competitor or sharing with the likes of a WikiLeaks.” These and other similar technical solutions abound.

In an age of increasingly accessible data, fully preventing loss has become even more difficult. While data security may have looked like business as usual in the past, WikiLeaks has ramped up the need for security to an even higher level and given it a far higher priority. Smart companies will likely step up to the plate faster to ensure that data is secure.

15 views

Related reading