Understanding the risk of weak controls related to privacy and security – including the costs of doing nothing – will help motivate executive leadership to address the company's security vulnerabilities.
The Threats
Companies today are facing many different threats to their information security. From the risk of external hackers to internal fraud by employees and compliance with myriad government regulations, companies must stay ahead of these threats to survive and avoid costly security breaches.
External threats to security and privacy have only grown more complex. The pandemic has permanently altered how we work and how employees access company networks, making companies more vulnerable to external threats from cyber criminals. The Identity Theft Resource Center has recently noted a major shift in cybercriminal tactics, moving away from stealing personal information and instead stealing login credential access. With login access to a corporate network, cyber criminals are free to roam the company’s internal networks and steal sensitive data. The more access their stolen credentials provide, the more damage they can do and the more those credentials are worth.
Internally, one of the leading threats for companies remains fraud committed by their own employees, which often occurs when they are overprovisioned access to the company’s systems. The Association of Certified Fraud Examiners (ACFE) estimates that as much as 65% of fraud is internal. The pressures, incentive, and opportunities for employees to commit fraud have only been amplified by the pandemic and current economic outlook. Many employees are struggling in fear of potential layoffs and uncertainty about future income in a work-from-home environment that may not be as secure or controlled as the office and where family and other pressures are often in very close proximity. The ACFE expects a 71% increase in fraud over the next year due to the economic challenges of the pandemic and the opportunity offered by overprovisioned access to company resources.
Additionally, ever-increasing governmental regulations, such as Sarbanes-Oxley (SOX) and General Data Protection Regulation (GDPR), increase the cost of compliance. Security and privacy laws, like GDPR and California Consumer Privacy Act (CCPA), mean that companies must be more responsible for securing the personal data they collect from their customers and users. Other regulations, like SOX, require companies to employ strict controls on user access to business-critical applications to preserve the integrity of their financial statements. The consequences of a data breach can cause irreparable harm to a company, including fines, penalties, reputational damage, and loss of customers.
Protecting Company Data
There is no single solution that will protect all of the company's data assets from internal and external threats. Similarly, no single solution will make a company compliant with all regulations. However, there are steps companies can take today that will go a long way to securing their data.
Companies interested in getting a handle on their security should start by assessing risks to identify where the company is vulnerable to internal and external threats. A risk assessment will look at threats such as:
As a result, companies will be able to identify the steps to secure their most significant risks, such as separation of duties, controls on user access, access reviews and certifications, and limiting the use of superuser accounts and quantify the cost savings if these controls are implemented.
Companies should take a risk-based approach to access security by identifying where they are most exposed to internal and external risks. Then, they can develop and execute a plan to address those areas of high-risk exposure.
Where to Start: Getting Executive Buy-in
Successfully addressing these issues across the company requires support from executive management and the board of directors. To get that support, executive leadership must acknowledge the risks are real and, if exploited, could have an adverse effect to the bottom line. Doing nothing does not save the company money; instead, it perpetuates the existing risks. Often, executives have an "it can't happen here" mentality, and as a result dedicating time and resources to analyze and properly address information security risks is not a priority. However, we don’t need to look far for examples of prominent companies who have been impacted by lax controls. Just last year, an executive at a prominent media company used his ability to negotiate vendor contracts and initiate vendor payments to pay himself millions of dollars in kickbacks. These real-world examples can help quantify the risk.
For publicly traded companies, compliance with regulations like SOX is required, and the cost of compliance is a growing burden. However, compliance can be a value-added activity to the business with the right executive buy in and approach. Adopting more automation into the compliance process can help mitigate the cost of compliance and reduce the risk of failing an audit.
Building the Foundation
One of the easiest places to start when building a comprehensive information security program is to look at user access and role design in your critical applications. While this step will not address all security and privacy risks, it will provide a solid foundation to build on and can help limit the risk exposure.
Good practices around user access management include ensuring that users get only the access required to do their jobs and user access is reviewed on a periodic basis and terminated in a timely manner when the employee leaves the company.
Ensuring that users get the right access to do their jobs can be difficult and often requires companies to build custom roles that are fit for purpose. Two critical principals should be addressed when analyzing user access and role design:
Path to Success
Many companies find the idea of completely securing all their business systems and networks impossible or too constraining on employee productivity. Rather than build a complete solution all at once, companies should evaluate their security exposure and fix the high-risk exposure areas first. It would be impossible for most companies to eliminate all risks completely. Still, understanding where the highest risks exist and building compensating controls to manage them will resolve the most significant risks.
Flexibility and customization can also play a large role in succeeding with new network and business application security policies. When developing a new policy or evaluating the use of a new tool to help facilitate application access hardening, it pays to take the extra step to assess end-user habits, daily use patterns of application access, and the practical requirements across finance and accounting teams. Doing so not only provides first-hand insights to help design an optimized policy but will also allow users to feel a sense of ownership over the new policy, thereby increasing the chances of full adoption.
Fastpath and Connor Group can Help
Fastpath is an automated tool that helps companies control user access to the most sensitive information in their ERP, CRM, and HCM applications. Fastpath can help:
Tools like Fastpath can help automate security processes and test for security issues to also help meet SOX's audit and compliance requirements. These tools monitor who has access to your applications, who can bypass controls, and where the most significant vulnerabilities exist.
Connor Group is a specialized professional services firm that helps companies with IPO and SOX readiness. Connor Group is a trusted Fastpath partner and works with clients to perform application security risk assessments and implementation of Fastpath. Connor Group brings the experience to help clients remediate user access, role design, and permission assignment issues identified through Fastpath by designing and helping to implement appropriate and practical risk-mitigating processes and controls.
Protection for the Future
Companies must protect their business data and intellectual property from external and internal risks.
Quantifying the risk of internal fraud, including the costs of doing nothing, will help motivate executive leadership to address the company's security vulnerabilities proactively.