DeltaCredit Bank is among the five largest banks in the Russian Federation in mortgage lending volumes and is owned by Société Générale, one of Europe’s leading banking and financial services groups. They are based in Moscow with 17 regional branches.
The Challenge
In common with many banks who operate at the heart of national financial systems, DeltaCredit face increasing challenges with risk, compliance and data protection. Without a data classification process, they found themselves treating all information equally, making incorrect risk assessments and underestimating or overestimating the value of information.
The Central Bank Of Russia requires Russian banks to have a data classification process, and DeltaCredit felt that implementing data classification software would achieve both compliance with this and other regulatory requirements, as well as giving them better visibility of what data they had and how to protect it. DeltaCredit identified that classification could not be successful as a one-off exercise just focused on specific applications or data sources but it needed to be continual and for all information they had; every file and email.
Supported by Fortra's Classifier Suite’s Elite reseller, Adacom, DeltaCredit shortlisted two possible user-driven data classification tools. Whilst both products were able to provide a range of functionality, they selected Fortra's Classifier Suite as it gave them the functionality they actually needed, at a more competitive price.
"The goal of this project was to implement a solution that can help to manage our data. We evaluated a few solutions and chose Fortra's Classifier Suite as they were the best in both price and quality. With the implementation of Fortra's Classifier Suite’s solution, our company has seen significant improvements to user awareness around the value of data. In combination with Data Loss Prevention systems, Fortra's Classifier Suite has helped to reduce DLP false positives by over 80%.”
Alexey Lola
Chief Information Security Officer at DeltaCredit Bank
The Solution
The team initially ran a pilot project comprising 40 users, with representatives from different departments. With the data classification tool impacting every employee in the bank, they felt it was critical to get detailed feedback on how to best implement the solution and what rules to use for each functional area. The pilot was successfully completed within a month and Delta purchased Email, Office, File and SharePoint Classifier for use across their business. Utilizing the flexible multilingual capability available within the Classifier Administration console, Delta Credit were also able to configure their policy in Russian.
Communication of the new process was identified as a priority and the team considered doing face-to-face training. As they felt that both their policy and Classifier were simple to understand, they chose instead to communicate changes by email, reminding users about the policy and providing details on which classifications levels to choose. Within the first four weeks, they were able to easily change the rules, altering notifications in response to feedback and tailoring implementation to the needs of the users to make life easier for them.
One of the greatest concerns was that the users wouldn’t like it and that it would have to be mandated, but in fact the DeltaCredit users treated classification as a game, surprising the ISO team with how positively it was accepted. During the phased implementation those users who did not yet have the tool were curious about others using it and requested it too. The software was implemented in just one week without the need for any specialist consultancy, skills or knowledge. “Once you’re done with the rules, you’re good to go, it doesn’t need a lot of attention, and it can just run. It’s very easy to maintain and we didn’t need a lot of specific knowledge or training” said Alexey Lola, Chief Information Security Officer.
The ISO team say they knew the project had been successful when they could see users were using the software and policy appropriately, and not simply using the default classification all the time. The team report a transformation of culture in relation to IT security, where classification is now automatic for the users and has become part of their normal daily routine. Alexey Lola continues “Classifier is not just about protection of the information – it’s there to change the security culture in the organization as it affects every employee in your organization.”
Classifier has also been integrated with DeltaCredit’s existing Data Loss Prevention (DLP) solution provided by InfoWatch, giving predictable and meaningful metadata that greatly improves the performance and reliability of the DLP decision-making logic. The combination of Classifier metadata and DLP has reduced false positives by over 80%, from around 150 events per day to 30-35 per day.
Conclusion
With the implementation of Fortra's Classifier Suite, DeltaCredit Bank has seen significant improvements in security culture and user awareness around the value of data. In combination with Data Loss Prevention systems, Fortra's Classifier Suite has helped to mitigate many data leakage risks, reduce false positives by over 80% and change the IT Security culture across the entire organization.