Why privacy and security are so important right now and how you can help your executive leadership understand the risks.
Understanding the risk of weak controls related to privacy and security – including the costs of doing nothing – will help motivate executive leadership to address the company's security vulnerabilities.
Companies today are facing many different threats to their information security. From the risk of external hackers to internal fraud by employees and compliance with myriad government regulations, companies must stay ahead of these threats to survive and avoid costly security breaches.
External threats to security and privacy have only grown more complex. The pandemic has permanently altered how we work and how employees access company networks, making companies more vulnerable to external threats from cyber criminals. The Identity Theft Resource Center has recently noted a major shift in cybercriminal tactics, moving away from stealing personal information and instead stealing login credential access. With login access to a corporate network, cyber criminals are free to roam the company’s internal networks and steal sensitive data. The more access their stolen credentials provide, the more damage they can do and the more those credentials are worth.
Internally, one of the leading threats for companies remains fraud committed by their own employees, which often occurs when they are overprovisioned access to the company’s systems. The Association of Certified Fraud Examiners (ACFE) estimates that as much as 65% of fraud is internal. The pressures, incentive, and opportunities for employees to commit fraud have only been amplified by the pandemic and current economic outlook. Many employees are struggling in fear of potential layoffs and uncertainty about future income in a work-from-home environment that may not be as secure or controlled as the office and where family and other pressures are often in very close proximity. The ACFE expects a 71% increase in fraud over the next year due to the economic challenges of the pandemic and the opportunity offered by overprovisioned access to company resources.
Additionally, ever-increasing governmental regulations, such as Sarbanes-Oxley (SOX) and General Data Protection Regulation (GDPR), increase the cost of compliance. Security and privacy laws, like GDPR and California Consumer Privacy Act (CCPA), mean that companies must be more responsible for securing the personal data they collect from their customers and users. Other regulations, like SOX, require companies to employ strict controls on user access to business-critical applications to preserve the integrity of their financial statements. The consequences of a data breach can cause irreparable harm to a company, including fines, penalties, reputational damage, and loss of customers.
Protecting Company Data
There is no single solution that will protect all of the company's data assets from internal and external threats. Similarly, no single solution will make a company compliant with all regulations. However, there are steps companies can take today that will go a long way to securing their data.
Companies interested in getting a handle on their security should start by assessing risks to identify where the company is vulnerable to internal and external threats. A risk assessment will look at threats such as:
- The type of business you are conducting
- Where your data is stored
- Where the company does business
- How secure are the vendors involved in your supply chain
- How your employees access your systems, with special emphasis on remote workers
- How are roles designed in those systems to enforce property segregation of duties
As a result, companies will be able to identify the steps to secure their most significant risks, such as separation of duties, controls on user access, access reviews and certifications, and limiting the use of superuser accounts and quantify the cost savings if these controls are implemented.
Companies should take a risk-based approach to access security by identifying where they are most exposed to internal and external risks. Then, they can develop and execute a plan to address those areas of high-risk exposure.
Where to Start: Getting Executive Buy-in
Successfully addressing these issues across the company requires support from executive management and the board of directors. To get that support, executive leadership must acknowledge the risks are real and, if exploited, could have an adverse effect to the bottom line. Doing nothing does not save the company money; instead, it perpetuates the existing risks. Often, executives have an "it can't happen here" mentality, and as a result dedicating time and resources to analyze and properly address information security risks is not a priority. However, we don’t need to look far for examples of prominent companies who have been impacted by lax controls. Just last year, an executive at a prominent media company used his ability to negotiate vendor contracts and initiate vendor payments to pay himself millions of dollars in kickbacks. These real-world examples can help quantify the risk.
For publicly traded companies, compliance with regulations like SOX is required, and the cost of compliance is a growing burden. However, compliance can be a value-added activity to the business with the right executive buy in and approach. Adopting more automation into the compliance process can help mitigate the cost of compliance and reduce the risk of failing an audit.
Building the Foundation
One of the easiest places to start when building a comprehensive information security program is to look at user access and role design in your critical applications. While this step will not address all security and privacy risks, it will provide a solid foundation to build on and can help limit the risk exposure.
Good practices around user access management include ensuring that users get only the access required to do their jobs and user access is reviewed on a periodic basis and terminated in a timely manner when the employee leaves the company.
Ensuring that users get the right access to do their jobs can be difficult and often requires companies to build custom roles that are fit for purpose. Two critical principals should be addressed when analyzing user access and role design:
- Principal of Least Privilege: This means roles provide the LEAST amount of access possible while still allowing users to do their jobs. Extra permissions that are not needed are stripped away, and roles are built for purpose and aligned to job responsibilities. This will also enable a more streamlined access provisioning process. Too many companies make the mistake of using delivered or “out of the box” roles rather than tailoring those roles to meet their unique needs. Another common error companies make is provisioning every user with “Admin” or elevated access rights because creating tailored custom roles is time consuming.
- Separation of Duties (SoD): Ensuring that no single user has the ability to initiate and approve or post a transaction. This is also critical when it comes to change management, ensuring developer access is separated from users who can migrate changes. Manually going through user access requests and finding separation of duties risks is time-consuming and error prone. Many tools will automate these business processes and alert the security team of possible security breaches, whether internal or external, in real-time rather than after the fact.
Path to Success
Many companies find the idea of completely securing all their business systems and networks impossible or too constraining on employee productivity. Rather than build a complete solution all at once, companies should evaluate their security exposure and fix the high-risk exposure areas first. It would be impossible for most companies to eliminate all risks completely. Still, understanding where the highest risks exist and building compensating controls to manage them will resolve the most significant risks.
Flexibility and customization can also play a large role in succeeding with new network and business application security policies. When developing a new policy or evaluating the use of a new tool to help facilitate application access hardening, it pays to take the extra step to assess end-user habits, daily use patterns of application access, and the practical requirements across finance and accounting teams. Doing so not only provides first-hand insights to help design an optimized policy but will also allow users to feel a sense of ownership over the new policy, thereby increasing the chances of full adoption.
Fastpath and Connor Group can Help
Fastpath is an automated tool that helps companies control user access to the most sensitive information in their ERP, CRM, and HCM applications. Fastpath can help:
- Determine what access users truly have, (e.g., is the “view only” role actually allowing someone to process transactions?)
- Fastpath will identify users with multiple roles across these applications and what the users can do with that access
- Automate the user certification process by scheduling reviews, assigning reviewers, and generating a summary of action items for IT
- Perform SOD validation before you provision access
- Perform a “what if” analysis before updating roles
- Quantify the risk of users having SOD violations (e.g., someone has access to create vendors and process payments; Fastpath can help determine if a user actually did that)
- Generate a true population of changes from the ERPs’ audit trail to perform change management testing and change lookback procedures
Tools like Fastpath can help automate security processes and test for security issues to also help meet SOX's audit and compliance requirements. These tools monitor who has access to your applications, who can bypass controls, and where the most significant vulnerabilities exist.
Connor Group is a specialized professional services firm that helps companies with IPO and SOX readiness. Connor Group is a trusted Fastpath partner and works with clients to perform application security risk assessments and implementation of Fastpath. Connor Group brings the experience to help clients remediate user access, role design, and permission assignment issues identified through Fastpath by designing and helping to implement appropriate and practical risk-mitigating processes and controls.
Protection for the Future
Companies must protect their business data and intellectual property from external and internal risks.
Quantifying the risk of internal fraud, including the costs of doing nothing, will help motivate executive leadership to address the company's security vulnerabilities proactively.