UBS Rogue Trader Underscores Insider Threats Facing Enterprises

The arrest of a rogue stock trader  at UBS, one of the world’s largest and most recognized banks, should serve as a wake-up call to all enterprises that many security threats actually come from inside their organization rather than from outside, according to several security experts.

London police arrested a rogue trader with the Swiss bank Sept. 15. In a terse four-line statement, UBS said the trader is suspected of causing an estimated $2 billion loss due to unauthorized trades. While UBS has not named the trader, the Financial Times identified him as Kweku Adoboli, a director in European equity trading for the Zurich-based bank.

"The matter is still being investigated, but UBS's current estimate of the loss on the trades is in the range of USD 2 billion," UBS said in the statement. No client positions appear to have been affected.

The bank was working to "get to the bottom of the matter as quickly as possible, and would spare no effort to establish exactly what has happened," UBS CEO Oswald Grübel wrote in an internal memo to staff, a copy of which was obtained by The Washington Post.

The UBS incident echoes what cyber-security experts have been saying for a while now: insiders are among the biggest threats facing organizations.

The "continued stress" of the current economic situation is "exacerbating" the potential for insider threats, Gregory Shannon, chief scientist at CERT, a federally funded research center at Carnegie Mellon University's Software Engineering Institute, testified at a House Financial Services Financial Institutions and Consumer Credit subcommittee hearing on Sept. 14.

The Department of Homeland Security even warned organizations in a security advisory earlier this month that Anonymous may try to subvert "ideologically dissatisfied, sympathetic employees" to the group's cause. The collective recently took to Twitter to persuade employees to hand over information and access to enterprise networks, according to the Sept. 2 security advisory.

Damages inflicted on financial firms by managers, sales staff and other non-technical personnel averaged about $800,000 per organizations, according to figures collected by Carnegie Mellon's CERT Program.

Organizations are "building walls" around the networks to keep malicious perpetrators out, but having difficulty defending against "potential menaces that are already on the inside of the fence," Shannon said. Nearly half of all inside attackers at financial services firms conspired with outsiders, and a third worked with colleagues to commit cyber-crimes, according to Shannon. Employees have also stolen intellectual property and sabotaged systems.

"The single takeaway from this news is a reminder that systems access, while being essential, needs to follow a 'less is more' policy," Brian Anderson, chief marketing officer at BeyondTrust, told eWEEK. "Protecting the enterprise from those with the motive and privilege isn't just a function of mission-critical servers--it should be incorporated in everything you do.”

The potential for fraud depends on the amount of trust the employee has, John Rostern, managing director at Coalfire, told attendees at InfraGard Cyber-Defense Summit in New York City Sept. 14. The riskiest people are often high-level employees, those with "extraordinary access to assets," Rostern said. Organizations have to recognize the riskiest people in the organization and monitor activity, such as performing regular background checks and ensuring they are not abusing their access-level rights, he added.

"Trust but verify," Rostern said, quoting the phrase made famous by former president Ronald Reagan.

"Individuals with direct access to core processing centers may be in a position to steal intellectual property, insider information or data that can damage the reputation of the company," Gordon Snow, assistant director at the Federal Bureau of Investigation, testified at the same hearing. Theft of intellectual property can cost businesses millions of dollars, as competitors can develop the product and reach the market first, or leak information about the company's business and financial plans to rivals, Snow said.