Mark McClain, CEO and co-founder, SailPoint
It was hardly the crime of the century, but there was certainly a great deal of planning and panache in its execution.
In 2016, a gang of thieves in New York targeted Apple Stores in a series of heists that netted iPhones and other devices to the value of $16,000, simply by strolling into the shops dressed in the famous Apple uniform of branded blue t-shirts and jeans.
In crime, subtlety and disguise is usually a much safer and more effective option than violence and brute force, and the same principle is as true for cyber offences as it is for bank robberies. In effect, these cyber-heists are committed by thieves disguising themselves as legitimate employees, stealing the keys to the company server room and making off before anyone notices there has been a break-in. And unfortunately, as the world becomes ever more connected, it’s becoming increasingly easy for criminals to hide behind a cyber disguise.
For highly regulated industries like finance, government and healthcare, the threat of a cyber-heist is even more real as the implications involve not just the usual financial loss and reputational impact but also potential compliance implications, too. And, with recent research valuing the average cost of a data breach at nearly £700,000 (or $1 million), it’s imperative that organisations like banks continue to protect their sensitive data and applications. The key to that is understanding who within the organisation has access to all of the digital tools, systems and data that keep the company moving forward, and importantly, whether they should have access and how they are using that access.
Identity governance is critical to addressing these three questions, because it helps IT teams manage and govern access for their organisation’s digital identities – or users, which today span across employees, contractors, partners and even software bots. Keeping up with these users and their access is incredibly complex for IT teams and becomes even more so when you think about the number of organisational changes that happen on a daily basis as users join or leave the organisation or change job responsibilities and roles. Failure to manage these changes leaves the door open for hackers. For example, if a user leaves the organisation but their access isn’t properly shut down, this now ‘orphaned’ user account is ripe for the taking by hackers.
These orphaned identities – which have legitimate access but are no longer being used by a current employee – as well as identities that have picked up new entitlements as they change roles or responsibilities, are two of the biggest vulnerabilities to business security today, and these area problem largely of an organisations’ own making. It seems obvious, but it is vital that companies can answer the question of who has access to what information and whether or not they should have that access. Ensuring that all existing and new applications are automatically added to a system that can govern access throughout a user’s career and importantly, revoke access after it’s no longer needed, can achieve this. And it’s not just employees that organisations have to contend with. Today’s business operations rely on other users within the enterprise beyond employees, including contractors, business partners and even software bots – and these users can sometimes be far outside of the traditional corporate firewall. It is for this reason that organisations today need to think of the slew of digital identities that make up the enterprise as the new ‘security perimeter.’
This identity problem isn’t just confined to temporary staff and business partners, however. In many cases, permanent employees can retain their former access privileges long after they have left the company, while internal moves (either through promotion, or horizontally within the organisation) can leave workers with inappropriate access to data and systems. This multiplies the opportunities for criminals to target individuals through social engineering or spear-phishing attempts – in effect, giving the keys to the company safe not just to one security guard, but to every worker on the premises.
It’s apparent that cybersecurity needs to be at the top of the agenda for every business, ensuring visibility into all digital identities– from interns to board members –to govern appropriate access to applications and data. So how can businesses succeed?
Harnessing the power of Identity governance and AI
Identity governance allows organisations to answer the critical questions of who has access to what, who should have access and what they’re doing with that access, addressing exposure points and reducing the risk of a data breach by mitigating the amount of damage hackers can do, if a breach were to occur. This also allows employees to be more efficient and focus on their respective roles with access to the right applications, systems and data to do their jobs – but without putting their organisation at risk.
The latest generations of identity governance solutions are now exploring behaviour analytics through artificial intelligence and machine learning as a new frontier in identity governance. Bank robbers may be adept at disguising themselves as real employees, but they can’t hide their actions, which is why it’s become important that identity governance solutions start to incorporate machine learning to look for unusual activity, including anomalies like a user logging on with unusual frequency; a user downloading large amounts of data from unexpected devices or file storage systems; or a user accessing data and applications at odd or abnormal times.
Enterprisescreatesuch a slew of identity data, including false positive alerts, that it’s nearly impossible for IT teams to process it, let alone identify anomalous behaviour. Adding identity analytics as an extension of existing identity governance programs can take the leg-work out of analysing this mass of data, and with the right identity context, help IT teams identify the proverbial needle in the haystack. With identity analytics, companies can also identify low-risk tasks like access requests that can be automated or allowing certification decisions to be delegated to team managers who have the best overview of what data is required by each employee. This helps organisations not only govern smarter, but govern more efficiently, too.
Technology isn’t the sole solution to the problem though: every organisation needs to get back to ‘identity governance 101’ basics first: identifying who has access to what, and how that access is being used. By harnessing the power of identity governance and then layering in identity analytics, enterprises of all types, including financial institutions, can ensure they not only know who they’re handing the keys to, but what’s being done once the door has been unlocked.