McAfee Data Protection Slashes Risk of Data Leakage Across Investment Bank BOCI’s Global Enterprise

BOC International Holdings Limited (BOCI) is a wholly owned, Hong Kong-based subsidiary of the Bank of China with registered capital of US$1 billion. The first investment bank established in China, BOCI has flourished along with China’s rapid economic growth. BOCI has operated overseas for over 20 years and its 11 subsidiaries now span Europe and Asia.

BOCI employees access hundreds of desktops, Microsoft Windows servers, and UNIX servers daily. A small BOCI IT staff supports the Windows environment, UNIX environment, and database applications. None of these IT professionals is dedicated to IT security, however, all share the responsibility.

Risk of losing sensitive data too high
“One of our top security concerns was the risk of sensitive monetary transaction or customer data falling into the wrong hands,” says Philip Wong, senior vice president of information technology at BOCI. “We had no way to prevent outsourced staff, office visitors, or employees from accidentally or maliciously copying confidential information onto a USB drive or printing it. The risk of data leaks, especially from laptops or USB thumb drives, was simply not acceptable to us.”

In addition, although the Hong Kong Monetary Authority had not yet required financial institutions to implement data loss prevention (DLP) solutions, Wong knew it was only a matter of time. “We wanted to proactively protect our customers and not have to scramble to comply,” he says.

Easy-to-use, easy-to-manage data loss prevention
After making the decision to proactively protect its data, BOCI began searching earnestly for a DLP solution. At the time, the company had no McAfee products. After evaluating several of the leading vendors’ products, and having the top two vendors conduct proof of concepts (POCs), BOCI chose McAfee Host Data Loss Prevention (Host DLP) to protect the sensitive data on all the desktops across its extended enterprise.

“We liked McAfee’s solution best because, unlike other solutions that required too much of users or were too complicated for administrators, McAfee Host DLP was easy to use and manage,” says Wong. “The ability to manage additional security risk management functionality with one central management console was also extremely appealing.”

As added protection against a data loss disaster, BOCI also purchased McAfee Encrypted USB devices and, for the company’s laptops, McAfee Endpoint Encryption. Furthermore, the company switched from using a competitive anti-virus solution to McAfee Total Protection (ToPS) for Endpoint to provide anti-virus and other protection for all of its desktops and servers. McAfee ePolicy Orchestrator (ePO) provides a single, integrated console for centralized management of each of these solutions.

Preventing leakage of sensitive data
BOCI relies on McAfee Host DLP to prevent restricted data on all of its desktops from being copied to external devices or distributed over the Internet. With McAfee Host DLP, BOCI administrators can set and implement policies that determine the type of content that should be monitored and protected, and to what degree. File folders on BOCI file servers have been classified with different levels of protection. For example, all folders with files containing content related to monetary transactions or confidential customer or employee data are assigned the highest protection level. Once a file is placed in these folders, it cannot be copied, moved, or printed.

“Creating our DLP policy guidelines helped us better understand our data protection needs as well as the power of the McAfee DLP solution,” notes Wong. “For instance, we realized that all data generated from one of our systems should be classified highly confidential, and that McAfee Host DLP could be set up to automatically protect all data coming out of that system — in addition to human-generated data.”

"If we could quantitatively measure risk avoidance — avoidance of damage to BOCI’s reputation, good will, and customer trust — McAfee’s easy-to-manage, integrated security platform would show a high return."

Philip Wong
Senior Vice President, IT BOC International

Much easier security management
With McAfee ePO, BOCI administrators have one central console for managing all of the company’s McAfee security solutions — from implementing DLP policies to monitoring virus interceptions and distributing new .DAT files. To update McAfee software agents on systems around the world, a BOCI administrator simply instructs ePO to push them out. “ePO makes managing security day-to-day so much easier,” says Wong.

On the customizable ePO dashboard, graphs and charts show at-a-glance information, such as what percentage of systems have out-of-date .DAT files. Customizable and prepackaged reports, which can be set up to automatically run and be distributed via email, provide BOCI administrators with increased visibility, whether over usage and movement of confidential data, or daily threat status.

Because it is web-based, ePO also facilitates sharing security information among administrators. BOCI’s Windows administrators “own” ePO but they can, when needed, allow the company’s UNIX or database administers to see ePO screens from their desktops.

An extra layer of data protection for laptops and USB drives
To further protect data on its globetrotting laptops, BOCI implemented McAfee Endpoint Encryption on each of them. Transparent to end users, Endpoint Encryption restricts data access to authenticated users. To access data on any BOCI laptop, a user must enter an authorized password and ID. In the future, the company plans to increase authentication requirements even further— for instance, requiring an RSA token or fingerprint scan. BOCI also plans to extend Endpoint Encryption to some of its desktops, especially those belonging to users who work at home.

Furthermore, BOCI now restricts data stored on BOCI desktops, laptops, or servers from being copied to anything but McAfee Encrypted USB devices. These small, portable USB drives feature powerful encryption technology combined with strong access controls, so that only authorized users can read the information stored on them.

Proactive compliance, risk avoidance, and a roadmap
McAfee solutions also help BOCI proactively comply with internal and industry regulations. As Wong had predicted, the Hong Kong Monetary Authority recently issued new mandates that require financial institutions to implement tighter safeguards protecting financial transaction and personal data. “Because we had implemented McAfee data protection, we were compliant before either regulation was issued,” he says.

“If we could quantitatively measure risk avoidance — avoidance of damage to BOCI’s reputation, good will, and customer trust — McAfee’s easy-to-manage, integrated security platform would show a high return,” adds Wong. “And McAfee keeps evolving its product line, giving us an ongoing roadmap that supports our current and future business needs.”

BOC International

Customer profile

Leading investment bank in China



IT environment

BOCI has hundreds of desktops, including laptops, and several hundred Windows and UNIX servers


BOCI needed to mitigate the risk of leaking sensitive data from any of its systems

McAfee solution

  • McAfee Host Data Loss Prevention enables the implementation of data security policies
  • McAfee Endpoint Encryption protects data on BOCI laptops from falling into the wrong hands
  • McAfee Encrypted USB ensures that data can only be copied to authorized devices
  • McAfee Total Protection (ToPS) for Endpoint safeguards desktops and servers from viruses and other threats
  • McAfee ePolicy Orchestrator (ePO) provides central management for each of these products


  • Easy-to-manage security thanks to integrated central console
  • Prevents users from accidentally or maliciously leaking data
  • Full visibility and control over usage and movement of confidential data
  • Proactive regulatory compliance and risk avoidance