Control is the biggest challenge for any information security professional, writes Raj Samani, vice-president of communications at the UK chapter of ISSA.
The recent events from Société Générale clearly demonstrate that controlling what an employee does is considerably harder in practice than theory.
The obvious answer is to provide policies and procedures to govern what is deemed acceptable in an organisation. But just because the sign says "don't run", it doesn't mean that people adhere to it. Furthermore, having an awareness campaign to make employees aware of the policies would equally have been ineffective, as the suggestions are that Société Générale rogue trader Jérôme Kerviel was fully aware of what he was doing.
Société Générale said that Kerviel had been "aided by his in-depth knowledge of the control procedures". In other words he knew how to circumvent the very controls meant to curb frauds, and the bank failed to apply two key security mantras: need to know and segregation of duties.
Three issues allowed Kerviel to get away with it for so long: a lack of reporting, the ineffectiveness of controls meant to protect the bank, and a lack of independent auditing/monitoring.
Reports say Kerviel began his fictitious trades in late 2006 and early 2007, so why was this not picked up earlier? If an employee were to do anything which contravenes acceptable use, ranging from an unauthorised trade to using a USB memory stick, it should raise an alert.
Also when the alert is raised, appropriate action must be taken. In this case, when he was questioned about a particular trade, Kerviel would describe it as a mistake, then cancel the trade. One has to ask, if the flags had been raised and appropriate action taken, would this be such a big story?
Kerviel circumvented the controls themselves by closing the trades in just two or three days, which prevented a notice from the bank's internal control system. This fundamental weakness allowed a reported loss of £3.7bn. How much would effective control measures have cost? Alternatively, by ensuring that someone else is in the cycle had to authorise or review such actions, Société Générale could probably have prevented such a loss.
As the TJX Companies security breach has shown, it's not until a major loss occurs that organisations actually take security seriously. Wouldn't it be nice if, just for once, the card holders, shareholders, and everyone else in between weren't used as crash test dummies by large corporations on "what not to do in business".