- Email: [email protected]
Risky revamping: managing data efficiently
Feature
Risky revamping: managing data efficiently Adrian Palmer, Proven Legal Technologies Deutsche Bank recently announced plans for a significant restructure, with the Wall Street favourite preparing to split its investment bank in two. One arm is set to focus on corporate and investment banking, and the other on sales and trading. As part of the major overhaul, both divisions have brought in new professionals, and are soon set to announce their new executive committees. The radical re-organisation follows pressure from investors to reform, and is intended to restore reputation and profitability for the German bank following a series of large-scale scandals, including libor-rigging and investigations into data breaches. Deutsche Bank will also sell off several smaller businesses, minimising the workforce and cutting costs – resulting in a significant number of redundancies. While the objectives and expectations are positive, any major re-shuffle in a large and high-profile organisation comes with risks. These uncertainties can never be explicitly predicted or planned for, but it is crucial for organisations of all sizes to understand where the dangers lie when undergoing internal restructure, or taking part in mergers and acquisitions. The risks that banks face in association with confidential information, data storage, and intellectual property are all issues that should be key considerations for any business experiencing reorganisation and employee reshuffles.
Data liabilities The recent exposure of data breaches and the costly consequences have highlighted to businesses how crucial it is to protect
February 2016
valuable data. In response to breaches and regulatory crackdowns, many organisations have attached higher importance to data security and storage, both online and in physical back-up form. This gives the feeling of increased security in the knowledge that all the information is accessible for internal use or investigatory requirements. However, contrary to popular belief, this behaviour can in fact be harmful to companies and cause extreme complications when it comes to M&A activity. Even after a merger or acquisition, data liabilities are transferred to the new company. For that reason, acquirers must carry out due diligence tests to ensure they’re not taking on heavy baggage and the responsibilities that accompany it. Not only are data archives costly and cumbersome to store, they are also a serious liability to any business should it become embroiled in litigation or a regulatory document request. Should an investigation take place, or an employee file a staff-subject request, all existing data may need to be combed meticulously, incurring great expense and draining company resources. For this reason, large libraries of data can, in some circumstances, deter companies from merging with another, or decrease the value of the acquiree. The
Adrian Palmer
acquiring companies should expect full visibility of the data on file and what it contains, and question what the data liabilities will look like. If it appears too high, or the achieved material is deemed too burdensome, M&A activity may be hindered or severely complicated. In some cases, data liabilities can impact a business’ value, and deter potential acquirers from closing the deal. Even when restructures are internal, data histories can muddy the waters and prove a procedural nightmare if investigative action arises. To avoid this, companies should not be retaining data when it is no longer needed or no longer has a legitimate purpose. Unnecessary data retention can be diminished by reasonable document deletion in accordance with standard business practices. Any company being acquired or undergoing reorganisation should assess its document retention policies and seek to destroy back-up tapes that are unlikely to be referenced by the business. Any data that is deemed to have a legitimate purpose may be kept for a specific reason after having been transferred to a live document management system, which makes retrieval and examination more viable and cost-effective. Although there is a general fear about discarding archived data, companies are in Continued on page 20...
Computer Fraud & Security
19
feature/CALENDAR ...Continued from page 19 a much stronger and more flexible position when data storage is managed efficiently. M&A or restructuring can see a number of employees join and leave a company, posing another serious concern around company data. In the case of Deutsche Bank, almost a quarter of the workforce will be let go, meaning that 98,000 individuals who have previously had access to sensitive material will move on to positions elsewhere – potentially competitors. Whether employees have been let go or poached by rival firms, they may attempt to make use of previous client relationships, inside knowledge and confidential data, taking more than just their expertise with them. Intellectual property is also under threat, as individuals may attempt to take documents with them that contain business development or strategy plans. Technology makes this process much easier, and there are more routes than ever to transport data. Bring-your-own-device (BYOD) policies and cloud-based computing are just some of the ways in which previous employees can both accidentally and purposefully take and share sensitive information. There is no way that businesses can control what employees discuss and transfer via private social media, but when data is transferred to cloud systems or removable devices, it makes it extremely hard to trace and keep track of. The issue of staff departure must be managed closely, as many are likely to have a number of electronic devices assigned to them that could contain confidential information and valuable intellectual property. The location of all mobile phones, laptops and tablets must be monitored carefully, and devices seized from individuals leaving the company. In addition, businesses must implement rigorous communication monitoring strategies in the run up to departure dates, ensuring employees are not sending sensitive documents or contact lists to private emails or downloading them onto hard drives. Blanket bans of BYOD, working 20
Computer Fraud & Security
from home, or carefully controlling which employees have access to certain files minimises the likelihood of sensitive data being stored or moved elsewhere. IT teams should be aware of the monitoring tools available, as well as their ability to track what information is downloaded onto external memory sticks, and who by. When internal restructures take place or announcements of job cuts are made, it is essential that IT teams are given plenty of warning and can ensure the correct records and preparations are in place, detailing which devices are assigned to each member of staff – and what they contain. Information that is still in use or contains sensitive material should never be left untraced or rendered unobtainable on removable devices, and confidential data must not be allowed to find its way into the wrong hands when ex-employees take positions at other companies.
Effective data management In the modern world, companies and individuals are faced with more data than ever before. Although technology has allowed information access and transfer at the touch of a button, it has also created an almost unlimited quantity to be safely stored and protected. When internal overhauls or M&A activity take place, it is essential that the process is handled carefully from a data perspective, with a complete understanding of what information is stored where, and indeed whether it can be wiped to minimise liabilities. The intricacies of data stored by employees should also be a key consideration, with protective measures implemented to ensure confidential information is traceable and secure, and does not become accessible for unauthorised third parties when ex-employees take information with them.
About the author Adrian Palmer is the managing partner at Proven Legal Technologies, a corporate forensic investigation and e-disclosure firm.
EVENTS 2–5 March 2016 NullCon
Goa, India http://nullcon.net/website/
9–11 March 2016
ACM Conference on Data and Application Security and Privacy New Orleans, LA, US www.codaspy.org/
10–11 March 2016 BSides SLC
Salt Lake City, UT, US www.bsidesslc.org
9 April 2016
BSides Oklahoma Tulsa, OK, US http://bit.ly/1O3pYZt
15–16 April 2016
BSides Canberra Canberra, Australia http://bit.ly/1l7suHc
2–4 May 2016
North America CACS New Orleans, US http://bit.ly/1Nqhu2c
23–27 May 2016 HITBSecConf
Amsterdam, Netherlands http://conference.hitb.org/
28–29 May 2016 LayerOne
Los Angeles, US www.layerone.org
30 May 2016
International Workshop on Traffic Measurements for Cyber-security Xi’an, China http://wtmc.info/
February 2016
Risky revamping: managing data efficiently Adrian Palmer, Proven Legal Technologies Deutsche Bank recently announced plans for a significant restructure, with the Wall Street favourite preparing to split its investment bank in two. One arm is set to focus on corporate and investment banking, and the other on sales and trading. As part of the major overhaul, both divisions have brought in new professionals, and are soon set to announce their new executive committees. The radical re-organisation follows pressure from investors to reform, and is intended to restore reputation and profitability for the German bank following a series of large-scale scandals, including libor-rigging and investigations into data breaches. Deutsche Bank will also sell off several smaller businesses, minimising the workforce and cutting costs – resulting in a significant number of redundancies. While the objectives and expectations are positive, any major re-shuffle in a large and high-profile organisation comes with risks. These uncertainties can never be explicitly predicted or planned for, but it is crucial for organisations of all sizes to understand where the dangers lie when undergoing internal restructure, or taking part in mergers and acquisitions. The risks that banks face in association with confidential information, data storage, and intellectual property are all issues that should be key considerations for any business experiencing reorganisation and employee reshuffles.
Data liabilities The recent exposure of data breaches and the costly consequences have highlighted to businesses how crucial it is to protect
February 2016
valuable data. In response to breaches and regulatory crackdowns, many organisations have attached higher importance to data security and storage, both online and in physical back-up form. This gives the feeling of increased security in the knowledge that all the information is accessible for internal use or investigatory requirements. However, contrary to popular belief, this behaviour can in fact be harmful to companies and cause extreme complications when it comes to M&A activity. Even after a merger or acquisition, data liabilities are transferred to the new company. For that reason, acquirers must carry out due diligence tests to ensure they’re not taking on heavy baggage and the responsibilities that accompany it. Not only are data archives costly and cumbersome to store, they are also a serious liability to any business should it become embroiled in litigation or a regulatory document request. Should an investigation take place, or an employee file a staff-subject request, all existing data may need to be combed meticulously, incurring great expense and draining company resources. For this reason, large libraries of data can, in some circumstances, deter companies from merging with another, or decrease the value of the acquiree. The
Adrian Palmer
acquiring companies should expect full visibility of the data on file and what it contains, and question what the data liabilities will look like. If it appears too high, or the achieved material is deemed too burdensome, M&A activity may be hindered or severely complicated. In some cases, data liabilities can impact a business’ value, and deter potential acquirers from closing the deal. Even when restructures are internal, data histories can muddy the waters and prove a procedural nightmare if investigative action arises. To avoid this, companies should not be retaining data when it is no longer needed or no longer has a legitimate purpose. Unnecessary data retention can be diminished by reasonable document deletion in accordance with standard business practices. Any company being acquired or undergoing reorganisation should assess its document retention policies and seek to destroy back-up tapes that are unlikely to be referenced by the business. Any data that is deemed to have a legitimate purpose may be kept for a specific reason after having been transferred to a live document management system, which makes retrieval and examination more viable and cost-effective. Although there is a general fear about discarding archived data, companies are in Continued on page 20...
Computer Fraud & Security
19
feature/CALENDAR ...Continued from page 19 a much stronger and more flexible position when data storage is managed efficiently. M&A or restructuring can see a number of employees join and leave a company, posing another serious concern around company data. In the case of Deutsche Bank, almost a quarter of the workforce will be let go, meaning that 98,000 individuals who have previously had access to sensitive material will move on to positions elsewhere – potentially competitors. Whether employees have been let go or poached by rival firms, they may attempt to make use of previous client relationships, inside knowledge and confidential data, taking more than just their expertise with them. Intellectual property is also under threat, as individuals may attempt to take documents with them that contain business development or strategy plans. Technology makes this process much easier, and there are more routes than ever to transport data. Bring-your-own-device (BYOD) policies and cloud-based computing are just some of the ways in which previous employees can both accidentally and purposefully take and share sensitive information. There is no way that businesses can control what employees discuss and transfer via private social media, but when data is transferred to cloud systems or removable devices, it makes it extremely hard to trace and keep track of. The issue of staff departure must be managed closely, as many are likely to have a number of electronic devices assigned to them that could contain confidential information and valuable intellectual property. The location of all mobile phones, laptops and tablets must be monitored carefully, and devices seized from individuals leaving the company. In addition, businesses must implement rigorous communication monitoring strategies in the run up to departure dates, ensuring employees are not sending sensitive documents or contact lists to private emails or downloading them onto hard drives. Blanket bans of BYOD, working 20
Computer Fraud & Security
from home, or carefully controlling which employees have access to certain files minimises the likelihood of sensitive data being stored or moved elsewhere. IT teams should be aware of the monitoring tools available, as well as their ability to track what information is downloaded onto external memory sticks, and who by. When internal restructures take place or announcements of job cuts are made, it is essential that IT teams are given plenty of warning and can ensure the correct records and preparations are in place, detailing which devices are assigned to each member of staff – and what they contain. Information that is still in use or contains sensitive material should never be left untraced or rendered unobtainable on removable devices, and confidential data must not be allowed to find its way into the wrong hands when ex-employees take positions at other companies.
Effective data management In the modern world, companies and individuals are faced with more data than ever before. Although technology has allowed information access and transfer at the touch of a button, it has also created an almost unlimited quantity to be safely stored and protected. When internal overhauls or M&A activity take place, it is essential that the process is handled carefully from a data perspective, with a complete understanding of what information is stored where, and indeed whether it can be wiped to minimise liabilities. The intricacies of data stored by employees should also be a key consideration, with protective measures implemented to ensure confidential information is traceable and secure, and does not become accessible for unauthorised third parties when ex-employees take information with them.
About the author Adrian Palmer is the managing partner at Proven Legal Technologies, a corporate forensic investigation and e-disclosure firm.
EVENTS 2–5 March 2016 NullCon
Goa, India http://nullcon.net/website/
9–11 March 2016
ACM Conference on Data and Application Security and Privacy New Orleans, LA, US www.codaspy.org/
10–11 March 2016 BSides SLC
Salt Lake City, UT, US www.bsidesslc.org
9 April 2016
BSides Oklahoma Tulsa, OK, US http://bit.ly/1O3pYZt
15–16 April 2016
BSides Canberra Canberra, Australia http://bit.ly/1l7suHc
2–4 May 2016
North America CACS New Orleans, US http://bit.ly/1Nqhu2c
23–27 May 2016 HITBSecConf
Amsterdam, Netherlands http://conference.hitb.org/
28–29 May 2016 LayerOne
Los Angeles, US www.layerone.org
30 May 2016
International Workshop on Traffic Measurements for Cyber-security Xi’an, China http://wtmc.info/
February 2016