Not your usual breach
Incredulity is stretched to new levels
Blogs | 13 Sep 2012 :
A former National Asset Management Agency (NAMA) portfolio manager has allegedly sent more 30 emails to his wife that contained attachments which themselves contained confidential information in relations to billions of euros worth of property deals. It has been reported that the information could potentially prejudice the work of NAMA.
It is believed that the attachments were in portable document format (PDF) and that the spouse of the person involved works for Ernst and Young.
In the September edition of ComputerScope, there is a feature based on the results of a managed document services survey in which 227 IT professionals gives their views and insights.
The results show that only 44% of Irish organisations have "a working system in place to effectively manage and retrieve all of business documents held across the entire organisation, including hard copy and soft copy".
I think that we can, based on the reports from NAMA, safely say that it is not among the 44%.
However, it is almost incomprehensible just how that might be so. For if it was so, then it seems highly unlikely that any operative, irrespective of rank, would be able to send sensitive information to a third party via email without alarm bells ringing and measures immediately coming into play that would prevent such exfiltration.
Even the most basic information and document management systems have features and capabilities that will prevent sensitive information leaving the organisation.
However, a very important aspect of such systems is that what is not scanned is not monitored. By that I mean if a paper document is not entered into the management system then it is not aware of it and so cannot manage it. That not only means in terms of retrieval, but also in terms of security.
The NAMA experience has highlighted the fact that data protection must protect from within as well as without. The suggestion in this case seems to be that the employee that allegedly exfiltrated the information may have done so for personal gain. This is not a disgruntled employee, which is the usual image portrayed as the internal threat, that and the simply daft or terminally bewildered who inadvertently do damage.
In this particular instance too, the reputational damage extends beyond the organisation from whence the information originated. In this case the recipient's organisation is also at risk of reputational damage despite having no involvement.
It is not as if we need any more cautionary tales of data breaches and losses, but for an organisation of the magnitude of NAMA to have failed to either have a system to manage sensitive information, or to have it entered into it, is very serious indeed.