Insider Threats: Lessons Not Learned
In 1995, the second oldest bank in the world at that time, Barings, collapsed as a result of losses totaling $1.3 billion. Prior to its downfall, Barings had played a very prominent role throughout history, sometimes for and against the interests of its own home country. Despite being a British bank, it financed the Louisiana Purchase for the United States in 1803. The massive land deal between the enemies of their nation, Napoleon and the U.S., doubled the size of the former British colonies. When the U.S. went to war against Great Britain in 1812, Barings again provided the financing for the young nation, all while it was said to be the personal bank of the British royal family. For hundreds of years, Barings financed corporations, governments, monarchies, as well as wars. Its name was synonymous with global power and wealth.
That long history came to a very abrupt end on February 26, 1995 when the bank become insolvent (bankrupt) after declaring losses totaling $1.3 billion. The losses were the result of the actions of a single employee, Nick Leeson. Up until the previous business day, the bank believed they were very profitable.
In the nearly two and half decades since the collapse of Barings, the technology of information security has grown tremendously. The capacity and capability for technological oversight and security has never been greater, including behavioral analytics, biometrics, facial recognition, multi-factor authentication, firewalls, data loss prevention solutions, log collection, spyware, to name a few. Seemingly endless are the tools and power of surveillance and prevention. Unprecedented in human history is the seeming complete visibility of people, activities and processes in the workplace. Personal privacy is now under assault, even in our homes. Technological advancement is continually propelling humanity forward, but also providing the means to monitor, detect, and prevent all manners of actions.
In 2019, most organizations are concerning themselves with cyber defenses to prevent attacks from enemy nation states, criminal organizations and online activists focused on the destruction of their target. There are endless stories in the media about breaches, phishing attacks and ransomware. Billions of dollars are being spent to defend against these cyber threats. Despite all the interest and effort to defend against these threats, the most likely threat to any organization still often goes overlooked. The insider threat, the attack from within an organization, remains the most common point of attack. Insider-based attacks can be the result of malice, incompetence, opportunity, or chance.
Barings’ centuries of prominence and success came to end when Leeson, a derivatives trader in Singapore, hid massive losses caused by his unauthorized and fraudulent trading. Not only were his trades not sanctioned by his employer, but more importantly the fraud wasn’t detected for years. There were no internal controls and no separation of responsibilities. In the Singapore office, Leeson was the trading manager as well as the settlement manager – the person responsible for the maintaining and overseeing the accurate accounting of the trading operation. He used the bank’s own money to make unauthorized trades which continually generated significant losses. Leeson was able to hide the losses as well as declare remarkable profits. The bank’s oversight and controls were not only unable to prevent him from using the bank’s money to make the deceitful trades, but also unable to detect that his reported profits were fictitious. Multiple audits conducted by internal and external examiners failed to uncover his malfeasance for years.
Since the collapse of Barings, there appear to be no lessons learned when it comes to insider threats and rogue employees like Leeson. These bad actors and failures of oversight have continued unabated and increased in the past 23 years. Jerome Kerviel, a rogue employee at Société Générale conducted fraudulent trades that lost $7 billion for the French bank in 2008. Yet another rogue trader, Kweku Adoboli in 2011, lost $2 billion for UBS Bank in London. Not to be outdone in the United States, Army soldier and intelligence analyst Bradley Manning took 500,000 documents from classified systems, and Edward Snowden walked out of the National Security Agency in 2013 with 1.5 million files. Even more recent insider breaches including IBM and their employee, Jiaqiang Xu, who stole proprietary source code. Waymo and Uber were entangled in employee theft of intellectual property in the form of 9.7 GBs of data about self-driving cars.
Snowden and Leeson were not caught because of an audit or an information security tool, but rather because they fled the country in an effort to preempt discovery and prevent capture. Leeson was later apprehended and sentenced to prison, unlike Snowden who is still a resident of Russia. Manning was turned into authorities by a grey hat hacker. Uber settled with Waymo’s parent company Alphabet by giving a .34 percent stake in its business (worth $245 million at the time) in 2018, years after the Internet giant failed to initially detect the loss of the information.
Nick Leeson wasn’t the first internal bad actor nor has he been the last despite the increases in oversight capability provided by enormous developments in technology, but also presumably the changes in processes, management and compliance in the wake of these prior events when the phrase “never again” is often heard. Human error, poor judgement and management, insufficient deployment of the technology and lack of visibility are still the reasons why insider threats continue to plague almost all corporate organizations. Information security is about people, process and technology. These examples of insider deception demonstrate that all three components can break down. Insiders continue to subvert controls, audits and policies. History shows it is only a matter of time before the next massive insider attack occurs.
Does your organization need assistance in preventing and detecting insider threats? Contact us to learn how Castle Ventures can help secure your organization.