Earlier this month Mark Boleat, head of policy for the City of London, gave a serious warning to the financial services industry as he prepared to address the Institute of International Finance in Washington on the threat of cybercrime. His
speech described a doomsday scenario in which cyber criminals would go about “destroying bank records and changing the amounts people have in their accounts”, bringing much of the financial world grinding to a halt and sparking the next financial crisis.
These comments were also echoed in the speech of one of the City’s biggest fund managers – Legal & General – who called on the 350 biggest companies on the stock market to step up their efforts to fight
cybercrime or what he called was ‘a tier one threat’ to the financial services industry.
The corporate governance director at Legal & General, Sacha Sadan, said the fund have highlighted a real issue that chief information security officers (CISOs) confront not only in the UK but in the USA too: how to convince the board of the need to invest
in effective IT security. Boards demand data points to drive IT security decisions but no CISO would want to rely on a data breach to flush out those vulnerabilities and combine a presentation of reputation ruination and financial losses with their resignation.
In presenting a strong case to the board, more CISOs are realising the importance of how forensic analysis of access vulnerabilities can be invaluable. A great example of how organisations are doing this occurred recently with a client of my firm. A major
multinational retailer headquartered in Europe requested an access risk audit to help proactively assess its systems for access risk vulnerabilities. The assessment revealed a number of active accounts for contractors and employees who no longer worked for
the retailer as well as users with excessive access privileges. Such oversights could have damaging consequences for any organisation given that, according to the latest
Verizon report on security breaches, abuse of access privileges appear in 13% of all data breaches and 61% of security incidents are caused by rogue employees with insider access.
This is exactly the kind of data that a board can act on and build effective data breach mitigation strategies. But simply doing an audit isn’t enough if boards are to press down on and reduce the data breach threat associated with misuse of access rights.
It is essential that organisations have strong capabilities for real-time monitoring of access risk, including all risk factors related to data access. This will provide CISOs and IT managers with a clear view into suspicious activities that can potentially
pose a threat to their business and will enable them to identify the causes for security vulnerabilities and act upon them to prevent data breaches. The data insight generated from real-time access risk intelligence can also be used to enable financial organisations
to allocate their security budget and resources to the most problematic areas from a security perspective that need most urgent attention.
Given the fact that over 70% of reported breaches take advantage of user credentials in some way, CISOs and IT managers must become empowered through the use of Identity and Access Intelligence solutions to manage and continuously monitor access (Source:
Verizon report). For instance, an access intelligence engine can identify orphaned accounts and excessive access privileges and, through integration with a full IAM suite, provide the ability to automatically take action to rectify inappropriate use of access
to the corporate database.
Even if a security breach occurs, the real-time access risk engine will be able to quickly identify the causes for the breach and enable IT staff to promptly address the problem to mitigate the damages. This kind of continuous assurance, coupled with the
improved audit ability and compliance with data protection requirements and internal security standards, will strengthen security controls and deliver better ROI from security investments. Moreover, by better understanding access risk and where the greatest
security vulnerabilities lie, CISOs and IT managers will be able to set more effective security priorities and have more proof points to convince the board of the need to invest in a more robust IT security strategy.