The Insider Risk
In January Morgan Stanley caught one of it’s financial advisors, Galen Marsh, after he stole data on 350,000 clients and someone posted part of it on the Internet.
This month a JPMorgan employee, Peter Persaud, was arrested for selling customer data to an undercover FBI snitch.
While both of these people were in the financial services world, insiders taking information is certainly not limited to that industry.
We hear stories all the time of sales people taking their Rolodex with them when they leave a company.
We hear stories of tech people taking code with them and to a lesser extent, taking customer lists.
The scary question is the part that we do not hear about.
In the case of Marsh (see WSJ article), he admitted to taking the data. He did, however, claim that he did not post it online (where it was found), nor did he try and sell it. The information which did appear on the Internet included names, account numbers, state of residence and asset values. These were all high net worth clients, with balances in the hundreds of thousands to millions of dollars. He had been an employee since 2008 .
In the other case, Persaud was paid $2,500 by an FBI snitch in exchange for information on an account with a $19,000 balance. The snitch was supposed to pay him an additional $7,500 after he emptied the bank account. Also also tried to sell information on 4 other accounts with a combined balance of $150,000. (see Bloomberg article).
For every story that we hear about, where someone is discovered, arrested and prosecuted, there are thousands that we don’t know about. In some cases, companies find out about it but choose not to prosecute because they do not want customers or investors to find out that the data that they entrusted the company with is not safe. Not to pick on law firms, but they are a hot target, and there are few circumstances that require them to disclose breaches to their clients unless it contains health or credit information.
The questionS to ask yourself ARE this:
IF ONE OF MY EMPLOYEES WALKED OUT THE DOOR WITH MY CUSTOMER LIST, SALES DATA, TECHNICAL INFORMATION OR INVESTOR INFORMATION, WOULD I KNOW THAT THEY DID?
IF THEY SOLD IT ON THE DARK WEB, WOULD I KNOW?
For most companies, the answer is no. Chase spends about $250 million a year on cyber security and after the loss of 75,000,000 client accounts to hackers late last year, CEO Jamie Dimon promised to double that to $500 million.
In most cases, internal controls are lose and employees would not trigger any alarms if they copied data. After all, they are trusted – we hired them didn’t we?
A 2012 study found that almost half of the employees questioned would sell their corporate credentials for $150. Whether half or $150 are exactly correct or not, the fact that any would sell it for a few hundred dollars speaks to the fact that employees don’t have much loyalty to companies who, they think, will show them the door if it is convenient to the company.
How much do you spend on cyber security?