How to clean up after Sumitomo Mitsui

By on
How to clean up after Sumitomo Mitsui

When the truth finally comes out about the attempted theft of £220 million from Sumitomo Mitsui Bank in March, it's likely to have all the hallmarks of an inside job – certainly that the crime relied on having people on the inside to carry it out.

One report suggested it was the cleaners who fitted keylogging hardware in the relevant systems to transmit secret account information, although that has since been officially denied.

But let's assume, just for argument's sake, that organised crime wanted to plant keyloggers in your systems, then posing as cleaners would be a good way to do it. Even with CCTV running around the clock, it would be easy for a skilful operator to make it look as if they were just dusting behind the computers.

So what's the answer? Do you have to run a police check on everyone who steps through the door of your building? That is plainly impractical, and under current legislation, impossible. At the moment, if you want to run a police check on someone, you need their cooperation.

Indeed, as the head of security at a large multinational told me: "When I joined the company, the board said 'I suppose we should check you out in some way, since you're going to be in charge of security', the only thing they could think of was a police check, but I had to go and order that myself, then hand it over to them." He got the job, by the way.

It's an amusing story, but it underlines how the law prevents employers from prying too far into the backgrounds of prospective employees. For the most part, that's a good thing.

But don't be surprised if we start hearing calls for a change in the law. Just as anyone working with children now has to submit to police checks, some would like to extend that burden to all employees. As a former law enforcement officer remarked to me in confidence: "This is supposed to be a business-friendly government, but look how hard they make it for companies to check on employees."

He might have a point, but we should think twice before yielding to such demands. There is still much that firms can do to protect themselves from insider scams. A decent process for allocating system rights when people join – and withdrawing those rights the moment they leave – would be a good starting point.

In the end, we need to use technology to enforce system security. Technology might not have stopped keyloggers being planted at Sumitomo, but it was anomalies in traffic patterns that alerted people to the threat.

More use of the right kind of technology – from simple provisioning right up to behavioural analysis – is more likely to yield results, and get them without eroding basic rights.

Ron Condon is editor-in-chief of SC Magazine

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?