Controlling access requires both a cultural and procedural change, as well as implementing the right technologies to restrict and monitor end-user and administrator access to applications, databases, files and systems. Most IT managers will agree that privileged accounts/access represent the greatest opportunity for fraud to occur in IT systems. However, many privileged users will ask, “Why can’t I have access to all those systems; I always have in the past?” This is precisely the attitude that must change.
Unfortunately, many IT departments are used to lax security (for example, no security measures for “super-user” accounts or using vendor-supplied default passwords because it is easier than setting up the alternatives processes and allocating budget). Many organizations do understand the importance of internal security, but just as many would rather not be bothered. If there were not compliance laws being enforced, many companies would likely choose to do nothing and take their chances. But good security breeds compliance, and things like logging activity and controlling access are important to deter fraud as much as they are for compliance (as well as “proof of innocence”).
We’ve heard about some extremely poor security measures that organizations have in place, including: Neglecting to define authentication and role-based access control requirements; neglecting to define security requirements/separation of duties for automated business processes which provides an easy method for insider attack; and neglecting to define requirements for automated data integrity checks, which allowed insiders to carry out their malicious activating knowing their actions would not be detected.
What critical problems can organizations face as a result of not mitigating insider threats?
For one, law suits. These can be very expensive and high-profile, severely damaging a company’s reputation and costing millions of dollars to reconcile. Also, insider threats lead to a significant loss of productivity and revenue through employee sabotage. This is especially true for smaller companies that may never be able to recover from a incident of insider threat.
A third potential problem is the threat to human life. For example, a former Cox Telecom employee recently plead guilty to information technology sabotage, having caused the loss of computer, telecommunications and emergency 911 services for thousands of Cox’s business and residential customers throughout Dallas, Las Vegas, New Orleans, and Baton Rouge, La. The guilty party faces a potential 10-year jail sentence and $250,000 fine, but the future is less certain for Cox. According to the company, services were fully restored and the damage repaired. However, the incident’s affect on Cox’s reputation has yet to be determined.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.