Control is the biggest challenge for any information
security professional, writes Raj Samani, vice-president of
communications at the UK chapter ofISSA
.
The
recent events from Société Générale clearly demonstrate that
controlling what an employee does is considerably harder in
practice than theory.
The obvious answer is to provide policies and procedures to
govern what is deemed acceptable in an organisation. But just
because the sign says "don't run", it doesn't mean that people
adhere to it. Furthermore, having an awareness campaign to make
employees aware of the policies would equally have been
ineffective, as the suggestions are that Société Générale rogue
trader Jérôme Kerviel was fully aware of what he was doing.
Société Générale said that Kerviel had been
"aided by his in-depth knowledge of the control procedures". In
other words he knew how to circumvent the very controls meant to
curb frauds, and the bank failed to apply two key security mantras:
need to
know and
segregation of duties.
Triple failure
Three issues allowed Kerviel to get away with it for so long: a
lack of reporting, the ineffectiveness of controls meant to protect
the bank, and a lack of independent auditing/monitoring.
Reports say Kerviel began his fictitious trades in late 2006 and
early 2007, so why was this not picked up earlier? If an employee
were to do anything which contravenes acceptable use, ranging from
an unauthorised trade to using a USB memory stick, it should raise
an alert.
Also when the alert is raised, appropriate action must be taken.
In this case, when he was questioned about a particular trade,
Kerviel would describe it as a mistake, then cancel the trade. One
has to ask, if the flags had been raised and appropriate action
taken, would this be such a big story?
Kerviel circumvented the controls themselves by closing the
trades in just two or three days, which prevented a notice from the
bank's internal control system. This fundamental weakness allowed a
reported loss of £3.7bn. How much would effective control measures
have cost? Alternatively, by ensuring that someone else is in the
cycle had to authorise or review such actions, Société Générale
could probably have prevented such a loss.
As the
TJX Companies security breach has shown, it's not until a major
loss occurs that organisations actually take security seriously.
Wouldn't it be nice if, just for once, the card holders,
shareholders, and everyone else in between weren't used as crash
test dummies by large corporations on "what not to do in
business".
Vigilance is price of profit >>
Read more expert advice from the Computer Weekly Security Think
Tank >>