Insider Risk Management
Posted by Robbie Forkish on Fri, Aug 28, 2009
I recently ran across a study from IDC on insider risk management that was based on a survey of over 400 respondents in the U.S. and Europe; CIOs and heads of IT accounted for 71% of respondents. The survey had some interesting findings regarding the sources of insider risk and where to invest in order to best manage those risks.
The majority of respondents (52%) characterized their incidents arising from insider threats as predominantly accidental, while only 19% believed they were deliberate. Of course the costs related to disclosure of sensitive information are the same whether the incident was deliberate or not: failed audits, regulatory actions and fines, brand erosion, legal fees, lost employee productivity, and lost customers.
A key finding of the study was:
Out of date and/or excessive privilege and access control rights for users are viewed as having the most financial impact on organizations.
If insider risk management is measured in terms of its financial impact, then this is the most urgent problem to address -- and the one with the best ROI.
This finding with regard to out of date and/or excessive privilege and access control rights is consistent with the Deloitte survey, which reported that excessive access rights (a different term for the same risk phenomenon) was the top "internal/external audit finding over the past 12 months"-for the second year in a row. And as IDC points out, since this is a requirement across all major regulatory frameworks, a company with excessive access rights could fail multiple audits including SOX, EU privacy laws, HIPAA and PCI.
What causes this high rate of excessive access rights? IDC reports that "contractors and temporary staff represent the greatest internal risk" for companies. And the vertical segment with the highest rate of incidents, due to provisioning/deprovisioning delays, was IT outsourcing.
Here's the ranking of average number of internal incidents per year, by incident type:
Excessive privilege/access control rights -- what Deloitte calls excessive access rights -- ranked third behind negligence and internal malware/spyware attacks. But two additional incident types are merely different manifestations of the same fundamental issue: Data loss through external attacks by previous employees is enabled due to rights that were not deprovisioned in a timely fashion upon termination; and exposure through provisioning/deprovisioning delays is the most prevalent cause of excessive access rights. If we add the three incident types together -- excessive privilege, attacks by previous employees, and deprovisioning delays -- it's by far the greatest source of internal risk, accounting for over 35 incidents per year on average.
Consistent with this point, IDC made a rather shocking revelation:
In years past, IDC has estimated that as many as 60% of all accounts on most systems are expired.
This would suggest that, if IDC estimates are anywhere close to the actual level of dormant accounts, there's a ticking time bomb out there just waiting to be exploited by an insider or discovered by an auditor.
This is why Cloud Compliance has focused on the problem of excessive access rights, excessive privilege/access control rights, and deprovisioning delays. Our Identity and Access Assessment (IdAA) solution detects excessive access rights and other access control vulnerabilities through innovative, cloud-based analytics; our solution also provides tools for root cause identification and remediation. All of this is accomplished with no appliances or enterprise software to install and maintain, no professional services to manage, and with no upfront capital expenditure required.