The internal employee threat to security, whether malicious or accidental, is at least as significant as the external, writes John Colley, managing director of (ISC)2 EMEA.
Most financial institutes have technical and non-technical controls in place to make sure that employees follow the correct processes and operate within the limits set for them.
For example, it is common practice to make sure that all staff take at least one period of leave of two weeks or more. This ensures that no employee can perpetrate a fraud that depends on constant attention.
Another example is the introduction of variable limits on transactions that require secondary authorisation. This limit might be £9,750 one day, £1,500 the following day and £14,950 the day after. The operator of the process has no knowledge of the transaction limit and so cannot perpetrate fraudulent transactions just below the authorisation limit.
However, this particular control is difficult to apply to traders such as in the case of Société Générale, as it would be difficult to set a limit that would not interfere with their success. They are highly secretive about their trading arrangements with each other and their management it is precisely this that makes them so valuable to the organisation and for which they get paid.
If press reports are true that the trader in question had hacked into the system and changed parameters to continue trading, then that is a different story and one against which there are a number of tools and controls. The key to ensuring such tools and controls are effective will be in ensuring the auditing tools that cover the trading are independent.
More fully, trading systems should be backed up with a system of checks and full audits of their integrity to reveal whether they had been tampered with. These checks need to be applied not only to the system itself but also to the database the system uses and the individual transactions.
Finally, the auditing tool must also be protected from compromise. It appears to be clear that the Société Générale trader exceeded his limit but that the system did not pick it up, which suggests that the controls in place were also compromised.
As is always the case in security, a balance has to be struck between the cost of any security measure and the potential cost of the risk involved. Clearly, in this case Société Générale got that calculation badly wrong.