The case of the
software engineer at the CME Group admitting to stealing source code got me thinking about how financial institutions need to start taking proactive measures if they are to stop incidents of this severity occurring. The ignominy of being investigated, as
well as the legal costs and subsequent reputational damage, are things that any business wants to avoid. What will be of concern to CME Group, or any financial services provider that experiences a similar intellectual property (IP) theft is why a ‘trusted’
employee, who has been at the company for so long – 11 years in this case – would resort to stealing IP in their care.
There are a number of reasons that can contribute to this: dissatisfaction in the workplace; believing they won’t be caught; thinking this behaviour is acceptable and ‘everyone does it’. This is all conjecture and the list of possibilities is very long,
however the case brings to light a fundamental security issue: how was the software engineer able to steal code, ‘undetected’?
Court documents have shown that the developer was able to print CME Group’s internal manuals and technical documents specifying how the systems interacted with each other – this is concerning as IP theft in such a simple manner should really not be possible.
To protect against this type of activity, many banks and other financial institutions have implemented the monitoring of electronic communication channels for developers who have direct access to sensitive source code. However, the monitoring of communication
is only effective if a user activity solution which detects anomalies in behaviour is implemented alongside monitoring. When integrated with a forensic tool that analyses and logs all activities for a particular employee, a financial institution can store
the full extent of user activity, so should they attempt to steal IP, the user log acts as evidence which is admissible in court.
Where employees have access to IP, secure monitoring of how the IP is used is essential. There must be two-way trust between the users and the organisation; however, failing to protect IP is a naive and costly mistake. Financial institutions have a responsibility
to ensure that information security policies about the use of company information are applied and enforced. All systems holding sensitive data must have logging and auditing in place to alert for misuse of the information that it holds. Also processes around
the storage and retrieval of source code and version editing systems must be defined and policed.
Having a sound and detailed security policy framework underpins all future action that institutions can take, in the event of an employee stealing IP from their employer. Educating staff about the maximum punishment they could face should be a reasonably
powerful deterrent for most; however, supporting this with correctly implemented monitoring and detection solutions will avoid cases of individuals abusing access to sensitive data and it going undetected should they still try. Plus, the mere fact that such
solutions are in place, can also provide an even more compelling deterrent to any abuse in the first instance, as users know their actions will be exposed.