The internal employee threat to security, whether
malicious or accidental, is at least as significant as the
external, writes John Colley, managing director
of(ISC)2EMEA.
Most financial institutes have technical and non-technical
controls in place to make sure that employees follow the correct
processes and operate within the limits set for them.
Fraud breakers
For example, it is common practice to make sure that all staff
take at least one period of leave of two weeks or more. This
ensures that no employee can perpetrate a fraud that depends on
constant attention.
Another example is the introduction of variable limits on
transactions that require secondary authorisation. This limit might
be £9,750 one day, £1,500 the following day and £14,950 the day
after. The operator of the process has no knowledge of the
transaction limit and so cannot perpetrate fraudulent transactions
just below the authorisation limit.
However, this particular control is difficult to apply to
traders such as in the case of Société Générale, as it would be
difficult to set a limit that would not interfere with their
success. They are highly secretive about their trading arrangements
with each other and their management it is precisely this that
makes them so valuable to the organisation and for which they get
paid.
Independent audit
If press reports are true that
the trader in question had hacked into the system and changed
parameters to continue trading, then that is a different story
and one against which there are a number of
tools and controls. The key to ensuring such tools and controls
are effective will be in ensuring the auditing tools that cover the
trading are independent.
More fully, trading systems should be backed up with a system of
checks and full audits of their integrity to reveal whether they
had been tampered with. These checks need to be applied not only to
the system itself but also to the database the system uses and the
individual transactions.
Finally, the auditing tool must also be protected from
compromise. It appears to be clear that the Société Générale trader
exceeded his limit but that the system did not pick it up, which
suggests that
the controls in place were also compromised.
As is always the case in security, a balance has to be struck
between the cost of any security measure and the potential cost of
the risk involved. Clearly, in this case Société Générale got that
calculation badly wrong.
Five security mistakes >>
Security and
internal audit >>
Read more expert advice from the Computer Weekly Security Think
Tank >>