Traitors in our midst

Bolting your doors and scanning the skyline is not enough in operational risk management. Some of the worst risks are posed by what World War II-era public information posters would have termed 'The Enemy Within'. A firm's own employees can be a persistent and potentially cancerous internal source of risk. Data security breaches, unauthorised trades or internal frauds can cause the loss of sensitive information or just plain cash. And at the top of the spectrum, there are threats to the competitive fibre of the company, trade secrets and intellectual property.

The ongoing Manhattan court case between US bank Goldman Sachs and one of its former computer programmers, Sergey Aleynikov, illustrates the point. The bank accuses him of stealing its proprietary code - the trade secret on which he worked as a programmer - to sell on or use elsewhere for competitive advantage. The code, which the bank uses to make market-beating high-frequency trading decisions, was allegedly transferred by the US-based Russian émigré to a UK-registered website. Teza Technologies, the start-up firm Aleynikov subsequently joined, specialises in high-frequency trading. Teza was created by another Russian émigré, Mikhail Malyshev. He is in turn being sued by his former employer, Chicago-based hedge fund Citadel, for breaking a non-compete clause by setting up his new venture.

The case highlights levels of inherent risk within firms, says Brian Cleary, vice-president of products and marketing at governance solutions provider Aveksa. "It shines a light on the fact that protecting corporate IT in its several forms requires more stringent controls, in fact, some companies do a better job at controlling general user access than super-user access at higher levels. One thing firms are looking at is anomaly detection, or abnormal access. For instance, why would somebody be accessing the brokerage desk application at 2am on a weekend when markets are closed? That is a safeguard that organisations are looking to put into place."

Staff turnover has increased throughout the global economic downturn, and organisations are becoming more concerned about insider risks. "We've never seen workforce reductions on a scale this large," says Cleary. "Previous reductions have been in the order of 1%, 2% or perhaps even 5%, but we are seeing some organisations making job cuts in excess of 10%. We are talking about thousands and thousands of employees. Organisations need to ensure that all terminated employees' access has been revoked across all applications in the enterprise as soon as the reduction action is taken. Most organisations aren't set up for that level of automation."

The line is often blurred between the more straightforward types of data theft and the much less tangible regions of intellectual property theft. But is it possible to sufficiently divide intellectual property thefts from those of information assets? "Intellectual property normally relates to creations of the mind: inventions, artistic works and the like," says Ed Doyle, head of payment solutions at anti-fraud vendor Norkom. "These are protected through patents, trademarks and industrial designs. However bank data such as client data cannot be protected via these mechanisms. Bank data is very much bank property, and is protected through various means such as a confidentially clauses in employment contracts and data protection law. Furthermore, the removal of bank data outside of one's legitimate work is theft, so the law related to larceny applies. Were this data to be used for illegal purposes, laws related to fraud or other committed crime would also apply."

Different rules also tend to apply in terms of bank policy and regulatory compliance. "In rare cases banks might use intellectual property protection such as trademarks and service marks, but where used these mechanisms are typically for service differentiation versus competition," says Doyle. "These are governed by international law such as the Madrid and Vienna agreements. Protection of information assets is much more 'front of mind' and internally focused. It covers both the physical and non-physical assets such as client data. The applicable law in this area spans employment, data protection, larceny and fraud. In addition to standards of protection, policy will also define the appropriate responses and actions within an institution in the event of an information compromise."

Need to know

Some measures taken to limit employee information sharing and personal communications could be seen as draconian. The thwarted attempts by the Iranian government recently to block restive citizens from the diversions of the internet - email, instant messaging, and social networking sites such as Facebook and Twitter - provided a demonstration of how people usually find a way around authority's attempts to block communications. Businesses lack the power or means to implement such Orwellian attempts to stymie information sharing. In the case of Deutsche Bank, accused in recent months of spying on some of its own corporate citizens, the legal, compliance and reputational risk consequences are ongoing. Nevertheless, employers can tighten up access to personal email addresses and monitor the flow of sensitive data and correspondence between the internal network - whether it is accessed on or off site - and the outside world.

Systemic tools can be used to keep tabs on the sort of data movement that has got Goldman Sachs all worked up. "There is a balance between creating a locked-down environment and being too laissez-faire, but the more access is granted, the more monitoring you should have in place," says Eric Holmquist, president of Holmquist Advisory and former head of op risk at Advanta Bank. "The reality is that for a long time the industry has been relaxed and a little bit sloppy. From a practical perspective, if you can have a tool to monitor who is moving data and to where, there is tremendous value. If through monitoring your firewall you see large data streams being sent from somebody's email, then somebody needs to be looking at that and asking what are they sending. Monitoring file size and file content are obvious ways of screening data movements, as well as scanning for key words and phrases. I think all personal emails should be blocked from within the company environment. There is rarely a reason people should be accessing personal email sites, USB or instant messaging from their work login."

The logical conclusion of such an exercise is for employees to be treated on what spy movies call a need-to-know basis or, if you prefer a more industry friendly, post-Cold War definition, given least privileged access. That means determining the absolute minimum access a member of staff requires to do their job effectively, then installing an access risk control framework to switch the rigour of controls depending on the user. "If we know their role is that of a system administrator or database administrator then you are going to want to put rigorous controls in place regarding that person's access, because they have the highest level of privileges within the application," says Cleary at Aveksa.

Controls for managing departing employees are equally, if not more, vital. In the case of a disgruntled employee, mindful of imminent redundancy, it would be naive to wait until that process was under way before revoking access to privileged information. "In assessing employees you are looking at the processes and procedures to get a picture of a specific job in the context of the company as a whole," says Mary Clarke, chief executive at e-learning consultancy Cognisco. "You can identify which individuals are more likely to be moving on, whether through the company taking that decision or the employee, and we work with clients to ensure the data is assured throughout that process."

Different employees in different functions and roles within an organisation require differing levels and areas of access to do their jobs. A good system for monitoring anomalies in their behaviour should be attracted by a range of different stimuli dependent upon the employee and the role in question. "We call that a 'roles-based' approach to governing user access," says Cleary. "A lot of companies don't manage access using this type of application. They don't have a paradigm for enabling the business to understand what access is appropriate for individuals' functional or job roles, because an employee can have more than one role within an organisation. That is why firms become confused and end up providing more access to critical information, resources and data than they need to."

Any framework for control must also keep track of risks posed by an employee's blossoming career across the enterprise. The risk of employees causing losses - whether intentionally or unintentionally - through bypassing proper processes, is exacerbated as their career path provides experience of a range of different roles. A competent system for controlling access should never leave an employee with access to areas of a system or network used in their old role but irrelevant to their new one - a lesson that Barings and more recently Société Générale learned the hard way.

Of course there are limitations to what technology can offer in the defence of a company's sensitive data. The confines also become smaller the less tangible the data is. The higher up the spectrum, from physical assets and archives, via electronically stored data, to intangible intellectual property, the less complete the security afforded by systems and controls.

Big brother is watching you

Even when he isn't. "Deterrence is the art of producing in the mind of the enemy the fear to attack," according to Doctor Strangelove. It doesn't need to be a rational fear, based on a state-of-the-art monitoring framework. Employees can be dissuaded from cheating their firm by more Machiavellian methods. They can be told, retold, trained and tutored that theft from the firm - anything from intellectual property to pencil sharpeners - will result in dire consequences. "In my opinion, there is no fixed process of rules that can protect against the risk posed by employees," says Mukesh Vijay, operational risk manager at ICICI bank in Canada. "The employee's motivation towards his job is the most important factor to protect against any employee risk. Regular training, awareness, incentives and more responsiveness motivates an individual to focus on the job responsibility."

Holmquist goes further. "It cannot be approached as a technology issue," he says. "If somebody is really intent on stealing data, the dark secret is that they are going to do it. That's why the cultural part - the training, awareness, visibility - is so critical, because that is where you are going to build up more of an effective deterrent. Criminals always go to the point of entry with least resistance, so if you build up visible protection and deterrence, they will think the firm is really scrutinising them and think twice before trying to take anything."

Maintaining the visibility of this deterrent is also essential. A confidentiality agreement, or relevant clause of an employment contract upon joining the company, while useful, only counts as one warning. Although in itself it provides a surer foundation for a later lawsuit, it should be followed up with reminders and training to ram the message home. "No robber would choose to steal from a lit house over a darkened house," says Holmquist. "Your goal should be to light your house up so brightly that nobody would dare try anything funny."

For the purpose of deterrent by training, employees can be roughly split into three groups: the good, the potentially bad, and the downright ugly. The first tranche, while they would not commit theft themselves, can serve as police deputies and advocates for the programme, providing continued vigilance and visibility once the training is over. In the same way that many operational risk managers have for years preached about the value of turning every branch manager, cashier and clerk across the business into an op risk manager, so these employees will provide extra sets of eyes and ears ready to inform on the suspicious behaviour of those colleagues that consider themselves either wronged or above the law.

"Neither of these types of individuals will comply with any campaign as they won't believe it applies to them, or just don't care," says Tim McCain, an independent compliance and security consultant. "Therefore, it might help if those in close proximity to the high-risk individuals were trained in identifying such behaviour, or changes in behaviour that might represent the beginning of such self-serving, risky behaviour."

The potentially bad employee is more marginal. "They are generally good people, but given the right price they might think about it," says Holmquist. "There, the purpose of training is to push them back into the light. It is to let them know that you are watching them, and if you are doing something wrong you will prosecute them. That is why training is the cheapest control you have. Lastly, the third group is effectively the 'dark side', people who are bad, and who if given the chance will steal data. The training should not be designed to miraculously turn them into good guys, but for recourse. It is so that, if or when they do decide to steal information, you have the ability to prosecute them."

It would be a mistake to try to run before mastering walking. Many firms have yet to re-evaluate their employment contracts and legal risk should an intellectual property or other hard-to-prove information security breach take place. "Many IT professionals walk away with trade secrets that aren't always kept secret," says Clarke at Cognisco. "One in four employees admits to verbally sharing sensitive corporate information. We have quite a number of clients who are now working to assess the risk surrounding information losses."

While the US has long had a trigger-happy legal culture awash with lawsuits, in the UK it is still tough for employers to make a successful intellectual property case. Even non-compete clauses within contracts tend to be limited to six months for all but the top employees. The courts have tended to sympathise more with allowing a discharged employee to continue their career, rather than defending a client list for their former employer. Trade secrets are the most common claim, suggesting an employee has had knowledge of trade secrets and sold them on. The courts have been restrictive in the interpretation of intellectual property, putting the onus on the employer to demonstrate a theft has taken place.

While an employee is under contract, all the relevant intellectual property belongs to the employer by default. In spite of this, many firms handicap themselves unnecessarily. "Quite a lot of organisations do not specify that a piece of information is confidential and must not be disclosed," says James Clarke, a partner at law firm European Legal Solutions. "It is only recently that we are seeing confidentiality clauses being put into contracts for employees at much lower rungs up the corporate ladder. Previously, only executives and other higher-tier management were subject to such clauses. Firms have realised that breaches to their trade secrets represent a more common risk than they'd previously thought. They have spent a lot of money building up their firms, so they do not want to discover that they have lost it all and have no way of enforcement to recover damages. If it is written in black and white in a contract then it can be easy to bring about damages, but if it does not exist on paper than it is generally far harder."

Marshalling the right skill set to address the problem is something firms have struggled to do. The variety of information or other intellectual property at risk requires an information security officer in a position to harness not just IT resources, but legal, audit, compliance, operations and data analytics, while also having the ear of senior management. "It is crucial to have a risk-based approach to information security," says Holmquist. "That means looking at information security with an operational risk manager's perspective. Often the person in charge of the programme is somebody from the IT department. That is one of the worst mistakes a company can make. There have been far too many cases of people from IT delegated to the role and they spend their days desperately trying to get people's attention, but are dismissed and told to go away. The industry has been too lax, and that has to change."