When Financial and Information Security Risks are Supposed to Intersect

Interesting security event at Morgan Stanley's NYC headquarters related to insider abuse, mostly interesting because the clients' list and charged fees weren't even uploaded on any removable media, but forwarded to the consultant's private email account :

"A former consultant to Morgan Stanley has been arrested and charged with stealing an electronic list of hedge funds and the rates the investment bank charges them. The hedge funds are clients in the company's prime brokerage business. According to court documents, Chilowitz is accused of sending a copy of the firm's administrative client list and its client rate list for the prime brokerage business in February from Morgan Stanley's offices in New York to his personal e-mail account at his home in Virginia."

I once said that nothing's impossible, the impossible just takes a little while, but given who Morgan Stanley is when it comes to risk management, assessment, let's don't say risk engineering -- psst, paying $15m in order not to pay $1.5B is such a sound investment -- they should have never allowed for this type of info to leave over the Web.

Meanwhile, the WSJ is reporting that Employers Increasingly Firing Staffers for E-mail Violations :

"The news comes from the 2006 Workplace E-Mail, Instant Messaging and Blog survey from the American Management Association and the ePolicy Institute, according to the Journal. The survey found that more than a quarter of the employers queried had fired an employee for violating company e-mail policy, up 9 percent from the 17 percent of employers who let employees go for similar violations in 2001, the Journal reports. On top of this finding, the survey also said that 2 percent of respondents had fired workers for instant-message correspondences that weren’t appropriate, and another 2 percent of employers said they’d fired a staffer for posting distasteful content on a Web log—or blog—be it their professional or personal page, according to the Journal."

Security policies are not the panacea of security, they are the basics, so consider developing and monitoring the effectiveness of one. My advise - think twice before feeling like a smart ass for exploiting your interns next time, and yes, fingerprint your most valuable IP assets as well.