Rogue e-mail makes Swiss bank lose millions?

Reports that a rogue e-mail generated by a Swiss bank employee has cost the organization around £6.2 million in lost business highlights the problem of data leakages caused by email errors, says Lieberman Software.

According to Philip Lieberman, the firm’s president, anecdotal evidence in the IT security industry suggests that between 50 and 60 per cent of accidental data leaks originate from incorrectly addressed e-mails and their attachments.

“Whilst human errors can and do occur in any major organization, a good security policy enforcement system should be capable of intercepting any unusual or non-standard messages, and temporarily quarantining the message until a IT security official can review the data,” he said.

“Unknown to many people, similar temporary quarantines take place in the banking industry, largely as a means of complying with money laundering regulations. If £50K were suddenly to arrive in the bank account of `Joe Average,’ the bank’s compliance people would almost certainly take a look at the transaction before either asking for more information or releasing the money for the credit of the beneficiary,” he added.

Similar best practice rules should also be applied to corporate email, says the Lieberman Software president, who adds that, as well as helping to prevent embarrassment, such protective measures will also serve to meet the rising tide of corporate governance rules.

These rules mean that organizations must not only defend their digital data assets, but they must also be seen to be doing so, and be capable of proving to have done so, as and when required.

Put simply this comes down to audit logs being available for any and all IP traffic on a company network, including details of emails processed on the firm’s IT platform.

Unfortunately for corporates, he says, many employees interpret e-mail security measures being applied to their company messages as a form of electronic snooping, when in fact the technology is there to defend the company’s interests, as well as protect staff from making catastrophic mistakes, such as in the alleged Swiss bank incident.

“In the case of UBS, the use of an e-mail security enforcement platform would have cost a relatively small amount of money – which could have been offset over a lengthy period of time – and would almost certainly have helped to prevent the leakage of the client’s listing price, which was accidentally sent to more than 100 high-ranking individuals,” he said.

“I’d also suggest a Data Loss Prevention solution (properly configured) might have caught this. When handling these types of sensitive deals, DLP and overall strong IT security is a “really good idea”, Unfortunately, the investment in information security (staff and technology) takes away from those handsome bonuses at that end of the day for equity bankers.”

“Our researchers are increasingly finding that humans are the weakest link in the modern security chain. Preventing one incident like this in a corporate’s lifetime can significantly save lot more than the capex and opex costs of employing good enforcement security technology,” he added.

It is time for businesses – especially those in the financial services sector – to wake up to the compliance issues surrounding email usage in the workplace. This needs to happen as soon as possible, if we are to avoid a recurrence of this unfortunate Swiss bank situation.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss