Actu
Varonis says UBS rogue trader fiasco is a classic ‘exceeding of authority’ case
September 2011 by Varonis
As reports that Swiss international banking giant UBS has been hit by a two billion dollar loss caused by the actions of an apparent rogue trader, data governance specialist Varonis Systems says that the fraud appears to be a classic case of an employee – in this case dramatically – exceeding his authority.
David Gibson, director of technical marketing and strategic accounts with the the provider of comprehensive data governance software, said that staff who exceed their authority often cause problems for their employers, partners, and customers of the business concerned.
“And then there are situations where the member of staff ends up noticeably costing the company money through his or her effectively unauthorised actions, but the bad news is that many breaches of authorisation are never even recorded. This case is interesting on several fronts, not least because of the amount of money he has lost the bank, but also because of the lessons it teaches us on the security authorisation front,” he said.
“While smaller breaches and abuses of authority occur in most organisations at least some of the time, they - and the larger ones too - can now be largely controlled by automated IT systems that manage employees and their authorisations, as well as monitor the use of systems for unusual or unauthorised patterns of usage, and then trigger the appropriate alarms when normal usage turns to abuse,” he added.
Gibson went on to say that these are the types of protection that an automated data governance platform can provide.
Automated data governance systems, the Varonis director of technical services explained, not only monitor and refine control of the IT-enabled actions of staff, but also look for any unusual or unauthorised patterns of behaviour when it comes to handling the organisation’s data.
If, for example, the sales director – on the eve of going on holiday – suddenly starts downloading the company sales database to his local workstation, and then on to a high capacity USB stick, MP3 music player or the like, then alarm bells really need to start ringing, he says.
Those same alarm bells should also start ringing if a member of the accounts department, for example, accesses the sales projections and new business data files when they have never looked at those files ever before.
A good data governance system, says Gibson, will detect these types of actions and refer them to a supervisor or other appropriate member of staff. They may be entirely innocent actions, but it is better to check and allow an action to proceed, than to allow apparently unauthorised IT transactions to take place on an uncontrolled basis.
With an effective data governance system in place, he adds, then appropriate alarm bells about apparent rogue trader might have started ringing some time – and several hundred million dollars - ago. Many organisations are only now becoming aware of how good data governance solutions can spot who is doing what with the company’s data, as well as when and where,” he said.
“Unfortunately for IT security professionals and their audit and governance colleagues, the message about how data governance can defend against all manner of security problems and frauds - even those that occur as the result of a misguided member of staff - is only just starting to get through
