events – a balance will have to be
struck between false positives and
B.;Monitor and alert employees upon
detections. After passing through the
first stage, automated alerts issued,
based on pre-set thresholds, will be
more useful and trustworthy.
C.;Stop data in transit. Because it interferes with the conduct of business,
confidence in the technical solution
should be high.
Before the policy framework and
documentation tree is in place, financial-services management teams may
find it difficult to terminate offending
employees. This is often the case when
employee policies are out of date. For
example, many old policy frameworks
rely extensively on the clause that
company systems are permitted subject
to an “appropriate use.” It may create a
legal problem and liability to terminate
an employee who pushes beyond an
unwritten limit of BYOD (bring your own
device) policies, yet claims that what the
employee was doing was appropriate.
Because of the delays embedded
both in creating a document tree and
in trusting the deployed technical solutions, it is recommended that these two
initiatives be run in parallel, especially in
urgent, catch-up situations.
As a final note, many tend to think
of technology as steadily progressing
towards an ever-greater interconnectiv-ity -- and not thinking deeply about the
security of their data until it is too late.
It may be possible to learn a valuable
lesson from a less-technologically-developed country, Russia. The Kremlin
recently purchased 20 typewriters as a
method to secure its most sensitive leadership communications. 11 It is a cautionary statement that should remind us
that senior management is ultimately responsible for the inadvertent disclosure
of their company’s private data. TSL
John Nerenberg is a director in the IT & Applied Analytics Practice at AlixPartners LLP,
the global business advisory firm.
AlixPartners, LLP is a global business advi-
sory firm offering comprehensive services in
four major areas: enterprise improvement,
turnaround and restructuring, financial advi-
sory services, and information management
services. The firm was founded in 1981
and can be found on the Web at www.
alixpartners.com. The opinions expressed
are those of the author(s) and do not neces-
sarily reflect the views of AlixPartners, LLP,
its affiliates, or any of its or their respective
other professionals or clients.
1. Cyber Should be on Your Risk
Management Agenda http://www.
2. The U.S. weapons systems that experts say were hacked by the Chinese
3. Bradley Manning verdict https://
4. Inside the 2013 U.S. intelligence
‘black budget’ http://apps.wash-ingtonpost.com/g/page/national/
5. FY 2012 Information Technology Budget http://www.actgov.org/knowl-edgebank/governmentit/Documents/
6. Page 10 of the Defense Science Board
Task Force Report:
Resilient Military Systems and the
Advanced Cyber Threat lists critical infrastructure to include: power
generation, communications, fuel and
transportation, emergency services,
financial services, etc.
7. Pentagon Five-Year Cybersecurity
Plan Seeks $23 Billion http://www.
program request apparently was in
response to the data loss discussed in
8. NSA to cut 90 percent of systems
9. See the article by Jennifer Bayuk
www.bayuk.com titled Vendor Due
Diligence ISACA Journal Volume 3,
2009 and other references on her
website to the limitations of relying
on SAS 70 for assurance of information security protections
10. The NSA Intends To Fire 90% Of Their
System Administrators To Eliminate
Future Leaks http://www.busines-sinsider.com/nsa-firing-sysdad-
11. KREMLIN RECIPE FOR AVOIDING
LEAKS: USE TYPEWRITERS http://big-story.ap.org/article/kremlin-recipe-avoiding-leaks-use-typewriters