Data Security – An inside(r) story
Monday morning. The CEO of Morgan Stanley gets an urgent phone call at 5am – “we have a serious crisis!”…
As they are getting more and more information, Morgan Stanley’s management team understand that about 10% of their customers base have been leaked out, and is completely out of their hands.
As the story unfolds, it becomes clearer that the employee has been taking advantage of a system flaw that allowed him to get through all the data, and obtain more than 300,000 records, some of them appear to also contain some private and sensitive data, and bypass all security solutions such as DLPs and WAFs.
Morgan Stanley is just one of many, there were many additional cases in which insiders have obtained a large number of records and tried to either extort their companies or sell the information in the underground.
As a former Head of Risk Management of a leading Fin-tech company I can tell you that this often happens due to a combination of circumstances:
- Internal and home-grown applications have been developed through years of cycles, patch over patch.
- Little attention to inherent security and segregation of information (“need to know” basis).
- The unpleasant process of going through your internal systems and acknowledging all data security gaps which means yet another “We have to do it at some point” backlog item.
- The false sense of security with internal personnel – once all background checks have been completed, an employee is trusted by default.
- Audit functions inherent blindness to internal business applications flaws
When all or most of the above circumstances co-exist, the organization is at serious risk of insider threat.
Now, don’t get me wrong – 99.99% of employees are good, trust-worthy employees, but you need only one with the right opportunity and the malicious intent to get to the headlines, and not on the positive ones.
Ask yourselves – are we capable of detecting that 1 employee out of the 10,000 that can cause serious damage? If the answer is no – you must take action as soon as possible, before you find your organization facing some hard times because of one stupid rotten apple.