Morgan Stanley will pay a $1M settlement to the Securities and Exchange Commission (SEC) for failing to protect its customers’ personally identifiable information (PII) from unauthorized disclosure. From 2011 – 2014, a former Morgan Stanley employee, Galen Marsh transferred Morgan Stanley client account data to his personal laptop via his personal website. The information was then obtained by hackers who posted it on the Internet for profit. In 2015, Galen Marsh, pled guilty to exceeding his authorized access to a computer, which was a violation of law 18 U.S.C. § 1030(a)(2)(A) regarding Fraud and related activity in connection to computers.
Morgan Stanley did have policies and procedures for access provisioning that followed the principle of least privilege, which involves provisioning the minimum access needed for one to fulfill his/her job duties. However, Mr. Marsh was able to guess branch IDs and employee group numbers until he obtained access beyond what he was authorized. To make matters worse, he had been inappropriately obtaining this information for over three years.
This incident is another reminder of how security measures must be assessed thoroughly for both external and internal parties. Often there is a false sense of comfort that concerns about fellow employees aren’t significant or are less likely than outside attackers. However, companies must sufficiently safeguard both of these fronts to maintain business operations while deterring potential incidents.
How could this situation have been detected sooner or prevented? The usage of Data Loss Prevention (DLP) software could’ve been useful for this type of insider violation. DLP software includes many useful features to manage data transfer in accordance with configured policies. For instance, certain information could be denied for transfer if policies were in place to prevent uploading content to a cloud storage service e.g., Dropbox. A thorough analysis to classify data would be needed prior to the development of policies within a DLP product.
The Aronson LLC Point of View: Insider Threat discusses the significance of implementing a security awareness training program within your organization, in order to decrease the probability of an insider threat security violation. Companies should also assess their policy hierarchy structures to confirm alignment with leading practices or seek an external assessment. Policies and procedures should be reviewed on a periodic basis to remain reflective of the current environment. These leading practices, in addition to DLP software, comprise an integrated approach to support insider threat prevention and detection.