A flash crash
at the National Stock Exchange in India, brought down the Nifty (stock index) by
15.5%, and shut down the exchange for a short period of time. Circuit breakers
were triggered after a trader erroneously mistyped a single large order into
the system - interchanging the number of shares to be sold with the value of the
trade. The incident exposed two types of systemic failures – the inability to prevent
erroneous trade entries of abnormally large magnitude by traders, and the failure
of processes, software and systems of the exchange to swiftly freeze trade and shut
down the market, once the market volatility threshold of 10% was breached.
Most believe
that the definition of “Security” in Information Security is
only restricted to the set of measures an organization uses to protect
against malicious activities of external agents and company employees. But,
this is partly true – information security ensures not only the confidentiality,
integrity and availability of information; against external threats but also
from mistakes, errors, and faulty process and system design.
A good
security plan and its implementation will always take into account all the potential
misuse scenarios’ which have a harmful effect to an organizations reputation,
assets or compliance mandates. In layman’s terms- actions both malicious
and inadvertent that endangers a business.
Most data
breaches are due to simple acts of omission such as technical misconfigurations
by system administrators, use of default passwords and inadequate operational checks
and balances. Security, if well thought off and implemented can prove to be a
lifesaver by reducing the occurrence of operational risks in an organization’s
day to day operations.
The trading
firm, in the above incident had to purchase the shares back at higher prices to
stay in business. The cost to the company amounted to 50% of its net worth. Had
the firm put in place relevant checks and balances to validate large trades,
before they were keyed in the system by traders, they would have been spared the
financial loss.
On a different
note, a similar situation could have been arisen, if a malicious hacker or disgruntled
informed employee misused the system to crash the exchange with the execution
of a single large trade. An experienced security
professional would have brought in this perspective through a “misuse” scenario
while designing or reviewing the design of trading processes and software, and
recommended preventive controls.
No comments:
Post a Comment