We were reminded on Monday that high-profile cyberattacks come not only from nefarious hackers, but also from insiders. A Morgan Stanley investment advisor Galen Marsh, was terminated for copying client data from Morgan Stanley’s “wealth management arm” and publishing it to a site called Pastebin. According to the WSJ:
“Morgan Stanley discovered on Dec. 27 that the employee had downloaded the client data, which included account names and numbers, states of residence and asset values. Information on 900 clients was posted briefly on a website, the firm said Monday in a statement.” – WSJ – “Morgan Stanley Fires Employee Over Client-Data Leak”
Mr. Marsh’s job is gone and he’s dropped off the face of the Internet. His LinkedIn, Twitter, and Facebook accounts appear to have been deleted and it seems that he has enlisted the help of a lawyer. While no charges have been filed, Morgan Stanley believes that Marsh was giving potential buyers a sample of a much larger dataset to which he had access.
Banks, retailers, hospitals, governments and all kinds of businesses continue to get hacked precisely because the industry fails to understand the difference between “data security” and “network security”. Simply protecting the perimeter (network security) is no substitute for true data security (protecting the actual data). If Morgan Stanley had true data security in place, then this leak likely never would have happened.
The solution to both internal and external threats is client-side, key-based encryption that allows a company to control data no matter where it ends up.
Network Security isn’t Data Security, it’s No Security
Network security is dead. When you secure a network you do nothing to secure the data that network contains. All you are doing is securing access to a network – and as we learned in Sony, it is all too easy to penetrate networks. If sensitive data on your secure network finds its way off of that network it is free to be copied and shared often without even being detected. And with the average breach not even discovered for nearly six months, your data can travel a long way.
If the allegations that Marsh was aiming to profit from this data are accurate, then this employee was able to exfiltrate sensitive customer data from a secure network and copy this data to Pastebin. Morgan Stanley’s network defenses are formidable. These companies take network security seriously. Laptops are regularly audited and scanned, employees use two-factor authentication to access VPNs, and networks are secured by strict access control and authentication policies. Despite this investment in network security employees are able to exfiltrate data with a simple copy and paste, and once sensitive data leaves the network the best a company can hope for is to identify the leak after the fact.
While this leak was detected no amount of network security is going to stop a bad actor from sending an email attachment with a report generated from a client database because network security doesn’t secure data. Companies working with sensitive data need to encrypt data even when it is within a secured network and they need to put strict controls on how data can leave an institution in a way that can be audited and controlled. Locking down access to data and mandating the use of Virtru for outbound email is one step in the right direction.
The Future is Data Security
When you rely on network security to secure your data it will find its way out eventually. Key-based, client-side encryption that gives a company visibility and a well-defined audit trail, which can be used to revoke access to information regardless of what network it is on, is the long-term solution to securing data and avoiding the situation Morgan Stanley finds itself in today.
While Virtru is focused on client-side email and attachment encryption today, we have our eyes on using TDF to protect all data types. If companies really want to invest in data security they will make the use of client-side encryption technologies like Virtru. Sensitive customer information should be secured at all times in a format that gives companies control over who can see it and for how long.
The first step toward protecting your data is to adopt Virtru for client-side email encryption and make it the only way employees can share data outside of your secure corporate network.