NEW SECURITY LEARNING

By Martin Smith

The consequences of an organisation falling victim to rogue insider behaviour were seen in no uncertain terms earlier this year, when news broke that Swiss banking giant UBS had uncovered unauthorised trading by a member of staff, producing losses – at the time of going to press – of some $2.3bn (£1.5bn). UBS was quick to assure its customers that “no client positions were affected” but confidence in the bank’s reputation was clearly harmed, judging by the immediate 7% fall in its shares.

The accused, 31 year-old Kweku Adoboli, is said to have conducted legitimate transactions which exposed UBS to various stock market indexes. The bank claims he entered ‘fictitious’ hedges against these positions into UBS's risk management system, when he actually had no hedge in place and was infringing the risk limits set upon him.

This is not the first incidence of large losses attributed to employee fraud. Who could forget the downfall of Barings in 1995 after rogue trader Nick Leeson lost more than £800m whilst working as chief trader for Barings Futures in Singapore? This was a financial institution that had counted Queen Elizabeth as one of its clients in an age before technological advances such as smartphones or social networking. Then in January 2008 the French bank Société G’énérale revealed that trader Jérôme Kerviel had lost £7bn. Kerviel was also 31 years old when he was arrested and both men worked on trading desks known as delta-one, a supposedly low-risk area.

Economic conditions

The consequences for Société Générale were surprisingly small. The discovery of Kerviel’s losses coincided nicely with the banking crisis which kick started the recession we are still in today, and so in fact, had little impact on the market. But the global economy continues to suffer and has triggered a rise in living costs, high levels of debt and the worry of job losses. As a result, employee fraud is more prominent than ever. Interestingly, UBS announced that it was to cut 3,500 jobs in the month before Adoboli’s arrest. Add to this feelings of anger felt by those employees affected by redundancies and there is an inevitable loss of the sense of loyalty and conscience that might otherwise prevent such fraudulent activity.

Advances in technology cannot be overlooked in terms of their contribution to today’s insider threat. Consider, for example, the recent report by Information Week on the case of Japanese pharmaceutical company Shionogi’s U.S. subsidiary. The company hired contractor Jason Cornish, who had previously resigned after a dispute with management. When his contract was terminated, he visited a branch of McDonalds where he logged into Shionogi's network via the public Wi-Fi. Once inside, he started up a management console that he’d previously deployed on the network. Cornish subsequently eliminated 88 servers, including email and BlackBerry, from the VMware host systems.

Social networks

The question has to be asked how these and similar incidents went unnoticed before reaching the point of disaster. Surely company managers, colleagues, or even friends or family would have noticed something was amiss. In Leeson’s case, losses were hidden away in a secret account to prevent their discovery, whereas Adoboli had not even made an effort to cover up his activities, as the 420-strong list of friends he accumulated on the social network Facebook can pay testament to.

Despite being able to follow Adoboli’s status updates, the colleagues and friends on his list seemed not to have recognised that here was a man under increasing pressure, possibly even crying out for help. The last post he made dated September 6th said simply: “Need a miracle”. This was not the first time Adoboli had openly shared his feelings on the social networking site. According to the Financial Times he updated his status on 31st July to read: “Will they? Won’t they? Reduced to watching Fox News for guidance, it’s a grim affair.” Then, when the market fell steeply a short time later, he posted: “Can we shut down global markets for a week so everyone can just chill out?”

Many of his online contacts appeared genuinely concerned after news broke of his arrest, leaving messages of support on his Facebook wall before his account was shut down. But this concern, of course, was too late. We are all using and becoming increasingly educated in protecting ourselves and our information on social networking sites. We must remember that they could also be used to help us look after our friends and colleagues; we should be alert to and recognise the signs indicating that something might be wrong with someone we network with.

Recognise and report

In terms of non-virtual contacts, the issue remains that Adoboli, Leeson and Kerviel’s co-workers and bosses seemingly failed to recognise that there was a problem and to step in to prevent the losses incurred as a consequence. Of course, nobody wants to believe their friends, employees or colleagues could be defrauding them so it is easy to see how such a situation could occur in any business. It is also too easy to blame the headline organisations – we are all vulnerable to the insider threat. This is clearly a problem that exists, which is growing, and which we must address:

* Employment recruitment checks are often performed as a first step in preventing fraud, but it is vital that each employee is then adequately supervised and monitored throughout his or her career. Our circumstances constantly change; our overheads increase as we marry and have a family, we may fall into debt or succumb to alcohol or become embroiled in romantic complications. The trick is for us not only to recruit honest people and keep dishonest people away; we must also keep those honest people honest, and identify deal with those that subsequently become a danger to our organisations.

* A positive and enthusiastic attitude towards security and fraud prevention must be established and maintained within our organisations. Security awareness and behavioural change is not easy to implement but the rewards are immediate and immense. Pound for pound, a good security awareness programme will do more to improve security and reduce theft than technical solutions can ever hope to do in isolation.

* Any security incidents, breaches, frauds or suspicions must be reported as quickly and as soon as possible. With an effective awareness campaign in place, then our workforce becomes our police force. Colleagues who work together on a daily basis are ideally placed to recognise and report unusual activity or changes in behaviour. Of course it is important to communicate this message to employees with the necessary sensitivity, however, the vast majority of us are honest and responsible and understand the need to eradicate fraud from the workplace. Most of us follow the rules, and object when others flout them. Most of us will be happy to report their suspicions, but we must give them an easy-to-use and easy-to-access mechanism to do this.

* Urge employees to pay attention to what is known as their ‘critical factor’ – this is the psychologist’s term for the part of the brain which questions unusual information or circumstances. This subconsciously enables them to recognise strange behaviour in their colleagues, and subsequently inform the relevant people. Even the smallest detail could help build up a picture of crime trends and point security resources in the right direction.

The best advice to every employee is “if you see something, say something”, whether in the office or online. It could prevent a colleague from getting into even deeper difficulties. It could also avoid the kind of revenue loss or damage to reputation that ensured the sale of Barings, the UK’s oldest merchant bank, for the paltry sum of £1 and the associated damage to the careers and incomes of the many honest, innocent employees drawn into the debacle through no fault of their own.

About the author: Martin Smith MBE is the founder and CEO of The Security Company, one of the world’s leading security awareness companies. www.thesecurityco.com. He also heads the Security Awareness Special Interest Group (www.thesasig.com)