And itís pretty much the same in most organisations. Years of abuse and misuse of privileges by staff, particularly in IT eventually catches up with you and itís impossible to hide the tell tale signs of wear and tear, particularly when it comes to controlling access to sensitive business assets. And the result is that eventually if you donít take steps to control things you will be caught out. Like a bad nose job, or the untrimmed nostril, you will get caught out.
If most us are honest with ourselves we complain about the nanny state banning everything that is bad for our health but deep inside we know that many things are probably for our own good. And in the same way we complain about the increasing interference in our private IT worlds of controls and regulatory compliance but deep down we know that internal controls for privileged user access rights and controls has been abandoned, or in many cases only given lip service in many organisations, and these controls are bringing us face to face with results of years of neglect.
And the result is that weíre risk being hacked either by thrill seekers, the curious, or the downright vindictive employee. Independent research clearly shows that a lack of improper segregation of duties, failure to control users with superuser access to files in production systems, failure to secure data in applications, a lack of processes coupled with a lack of reconciliation of these processes to the IT systems used, and a failure to secure access to operating systems and databases that support corporate financial applications and transactions, are the prime cause of most breaches and compliance failures.
The increase in computer-related theft and fraud is forcing the issue of internal users and privileged access into the open. This is clearly shown by the current case in the US courts of the IT executive who is alleged to have used his knowledge of system passwords to hack into a companyís system remotely and accessed emails and other information. And the bottom line is that it is simply too easy for people with a limited amount of knowledge to do this. I mean who would expect an IT executive to be able to do this!! Most of us so-called IT executives are considered to be in the Dilbert Managerís category when it comes to understanding bits and bytes, and yet even an IT executive can hack a system today with the tools that are so easily available.
So there is a challenge for you as a security officer, or as an internal auditor Ė face up to the fact that the sooner you deal with the organisational grooming, the better for all concerned. So today, every organization should take the security of their systems and applications seriously. Start by ensuring that you have effective policies and procedures in place to control privileged access to every system, including your workstations, and applications, and make sure that you can enforce them.
And remember that regulations do not make allowances for unintentional errors, just as speed cameras are not able to differentiate between the accidental speeding granny and the Jensen Button wanabee. Human error is one of the biggest risks faced by companies, especially as pressure to reduce costs means that more and more tasks are being carried out by less staff. So here are a few suggestions when you have a look at these policies and procedures.
Policies must be realistic Ė The policy must fit the requirements and ensure that the complexity is not such that users are inclined to try and bypass it.