Beware the knowledgable insider. Societe Generale shows us why.

The absolute disaster that Societe Generale discoverd over the weekend is the best reminder ever to check internal controls. You should be especially wary of employees that are familiar with your risk and security measures. They are armed with the tools to circumvent all of your precautions.

When I was a white hat hacker for PricewaterhouseCoopers our security assessments were usually done in two phases. There would be an external penetration test followed by an internal check of processes and controls. During that internal check I would examine firewall policies, scan networks, and run various tools on representative servers and desktops. I would also interview key IT staff. It would take about four days to get an insider's feel for operations. And, in every case, I could discover ways to steal from the client company. In my opinion the only reason that most of these companies have *not* experienced a major theft is that people in general, and frankly IT staff in particular are trustworthy. But trust is not a good policy. Certainly the stake holders in Societe Generale are going to be asking some questions of level of trust that SG imbued their traders with.

In a case reminiscent of similar events at Barings Bank and Sumitomo, a trader scammed internal controls to engage in some lofty bets that SG claims led to losses of $7.14 billion. Jerome Kerviel has previously worked in the department that applied trading controls so evidently he knew just how to scam the system. It sounds a little strange that he was gaining nothing from his activity. I am sure investigators will check for evidence of unusual signs of wealth from his trading. Maybe he had an accomplice (employer?) on the outside that made bets in the opposite direction, whatever.

Use this incident as impetus to check your internal controls. I can guarantee you, they are not good enough.

Update:  More on SocGen at new Security Blog.