Insider threats have long been a concern for financial services companies and their databases. According to a recent news report, Morgan Stanley accused a recently promoted financial analyst of downloading 350,000 records from its wealth management client database and subsequently posting 900 of those records to an internet bulletin board, Pastebin, in exchange for an obscure internet currency. By all accounts, no credit card numbers or Social Security Numbers appear to have been exposed.
While the analyst denies having posted the records online, the incident raises questions of insider access to sensitive data and the quality of internal controls.
Organizations often put strong monitoring controls around databases containing very sensitive information, as determined by the company’s data classification policy. Many organizations permit data downloads based only on specific rules (e.g., allowing employees to download 1,000 files at a time before they are stopped). Savvy thieves often can get around this by downloading 999 files repeatedly. A better solution is to monitor the behavior of employees using security analytics software, much as credit card companies use analytics software to spot signs of fraud.
Financial institutions need to take great care when classifying data to make sure it properly reflects management’s true assessment of risk, since this classification is often used by security architects to determine how robust the controls must be to protect it. Also, user behavior should be taken into account (along with access rules) to determine appropriate access restrictions. For instance, the behavior of users that repeatedly download files just under the maximum limit should be analyzed and taken into account when deciding whether or not to provide them with access to important customer data.
Internal controls are an important piece of an organization’s overall risk management and should be carefully reviewed and updated.
For more information on this topic, or to learn how Baker Tilly financial services industry specialists can help, contact our team.