This week former Morgan Stanley financial advisor Galen Marsh admitted stealing data from the banking giant. He downloaded a total of 730,000 records to his personal computer from 2011 - 2014.
However, these records were later uploaded to website Pastebin which Marsh denies being responsible for. It was the publication of this data that first alerted the company to the loss.
There is much debate about what measures Morgan Stanley had taken to address the threat of an insider. It’s clear they were scanning external websites for missing data because it was the Pastebin upload that resulted in Marsh’s capture. But how could this employee run over 6000 reports over 3 years without any kind of alert being triggered or his activity on these network systems being monitored or controlled? This case suggests that there was no technology implemented here to prevent data loss, to monitor behaviour or to ensure access to systems was effectively controlled from the inside.
Cybersecurity expert Avivah Litan, an analyst at Gartner, says many larger financial organisations have been working for years to enhance their internal and external fraud detection systems. Integrating and replacing legacy systems at these organizations with new technology takes time, she notes.
This is crucial, the priority of every business is to ensure its effectiveness and profitability. Anything that presents a threat, including investment in information security technologies, must be carefully weighed against any potential that it could disrupt “business as usual”. It seems this may have been the case with Morgan Stanley. The technology exists, and they could certainly afford it, but these solutions appear not to have been implemented.
Technology vendors must also take some responsibility here. We need to work to ensure that our products can be implemented and operated with as little disruption to organisations as possible. This capability might ultimately end up being as important as the features and benefits of any solution we can offer.