High-profile data breaches and compliance incidents – such as the recent rogue trading scandal at Societe Generale in France – have given a second meaning to ROI: “Risk of Insiders.”
Is this happening to you? It almost certainly is.
Although most insider fraud either is not discovered or it's not reported, a recent Ernst & Young security survey indicates that U.S.-based organizations lose about six percent of their annual revenues to insider fraud. For the smallest of last year's Fortune 1,000 companies, that's $100,000,000. No wonder SANS Institute listed insider threats near the top of its annual list of cyber menaces facing the enterprise in 2008.
While there are many reasons for the how and why of insider breaches, they boil down to the same basic core: Bad guys having access to information or systems that they shouldn't. For all the talk in the industry about governance, risk and compliance (GRC), it all starts with a simple premise – controlling access. You might know the risks, but without control, you can't have governance or compliance.
Traditionally, organizations have focused on making sure that employees have the appropriate access to do their jobs. Recent developments have shifted the focus to whether employees “should” have access. This sounds like it should be standard procedure, but the increased prevalence of insider breaches suggest otherwise.
Organizations have either failed to realize the risks of orphaned accounts and segregation of duties (SoD) violations, or do not have the security infrastructure in place to deal with them in a timely manner.
The SocGen debacle is a good example. One of the biggest enablers of the rogue trading activities that reportedly have cost the bank more than $7 billion in losses was failure on the SoD front.
The suspect, Jerome Kerviel, worked in the back-end of the organization for years, learning how the systems controlled traders, and had access to execute control responsibilities. Unfortunately, when he became an actual trader, his access was never terminated – meaning he apparently could control his own trades under the guise of different identities, which led to catastrophic consequences.
Had SocGen had the mechanism to automatically terminate access and privileges upon his change in role at the company, this may have been prevented. It certainly would have it harder to commit this type of fraud and would have provided more opportunities for red flags to be raised in the process.
So now that the SocGen scandal has awakened the industry from its blissful ignorance, does this mean insider threats will cease to exist? Unfortunately, no.
The business reality is that vulnerabilities always exist, with current business cycles often exacerbating the situation.
The current sub-prime mortgage crisis is a case in point. The Wall Street Journal recently projected that CitiGroup would lay off more than 20,000 workers in the coming months. That's 20,000 opportunities for exposure or loss of sensitive data if access to information and systems isn't immediately terminated. Add this to the daily list of compliance concerns related to who has access to what information – and you can see the size of the problem facing organizations continues to grow exponentially.
The first step: Take control of user access
So what to do? The first step an organization needs to take is to take control of user access, automating the processes associated with the provisioning and de-provisioning of access to business-critical information and systems.
Before a best practices GRC plan can be implemented, establishing control over your employees' access is a must – automatically terminating privileges and access in the event of turnover or role changes in the organization. Once control over access is established, organizations can move on to identifying the greatest areas of risk, and establishing governance over the vulnerabilities.
By automating the manual processes associated with account termination and privilege changes, you can turn the tables on insider threats, not only delivering a strong traditional ROI, but giving a another new meaning to ROI for those with nefarious plans: “Risk of Incarceration.”
Chris Sullivan heads both the Solutions Engineering and Customer Management areas for Courion Corporation.