Sunday, October 7, 2012
Security helps avoid common omissions and errors in business operations
A flash crash at the National Stock Exchange in India, brought down the Nifty (stock index) by 15.5%, and shut down the exchange for a short period of time. Circuit breakers were triggered after a trader erroneously mistyped a single large order into the system - interchanging the number of shares to be sold with the value of the trade. The incident exposed two types of systemic failures – the inability to prevent erroneous trade entries of abnormally large magnitude by traders, and the failure of processes, software and systems of the exchange to swiftly freeze trade and shut down the market, once the market volatility threshold of 10% was breached.
Most believe that the definition of “Security” in Information Security is only restricted to the set of measures an organization uses to protect against malicious activities of external agents and company employees. But, this is partly true – information security ensures not only the confidentiality, integrity and availability of information; against external threats but also from mistakes, errors, and faulty process and system design.
A good security plan and its implementation will always take into account all the potential misuse scenarios’ which have a harmful effect to an organizations reputation, assets or compliance mandates. In layman’s terms- actions both malicious and inadvertent that endangers a business.
Most data breaches are due to simple acts of omission such as technical misconfigurations by system administrators, use of default passwords and inadequate operational checks and balances. Security, if well thought off and implemented can prove to be a lifesaver by reducing the occurrence of operational risks in an organization’s day to day operations.
The trading firm, in the above incident had to purchase the shares back at higher prices to stay in business. The cost to the company amounted to 50% of its net worth. Had the firm put in place relevant checks and balances to validate large trades, before they were keyed in the system by traders, they would have been spared the financial loss.
On a different note, a similar situation could have been arisen, if a malicious hacker or disgruntled informed employee misused the system to crash the exchange with the execution of a single large trade. An experienced security professional would have brought in this perspective through a “misuse” scenario while designing or reviewing the design of trading processes and software, and recommended preventive controls.