• Half of the respondents said they would take company data with them when leaving a job. A full 27% admitted they would take customer contact information, 23% would take electronic files, and 16% admitted they would take product designs and plans.
• Interestingly, only 16% said they would take office supplies with them.
• 49% of those surveyed said they would look at information if they were mistakenly given access to a file containing confidential data, such as salary information. 6% said they would also tell someone else about the file’s contents.
• Only 13% of workers think the current recession has made their coworkers more likely to steal data from a company.

For me, the biggest takeaway from the survey’s results is that many employees don’t consider taking electronic data with them when they leave to be “stealing”. I’d guess that many believe they own the customer data or product plans if they worked on them. There is clearly a bit of moral ambiguity about ownership of company data that companies need to address here.

So what is the right way to address this issue? Unfortunately, there’s no silver bullet solution – companies need a layered approach that includes awareness/education, and preventive and detective controls. First and foremost, companies need to be explicit about their policies in this area and clearly define what is considered “illegal” usage of proprietary data.

At the same time, companies need to proactively monitor and manage workers’ access privileges, with the goal of limiting access to only what is required to perform a given job. Identity governance solutions, like SailPoint’s IdentityIQ, play a major role in helping companies ensure that workers’ access privileges are appropriate and conform to policy. IdentityIQ also makes sure that access privileges are promptly de-provisioned when an employee changes roles or leaves the company, and also provides detective controls by automating periodic access reviews and monitoring worker activities on high-risk applications.

What makes this area such a challenge is finding the right balance between limiting security risk and opening up access to sensitive applications and data. Fortunately, identity governance is helping companies successfully mitigate the risks highlighted by the survey. Regardless of where you are with your IAM strategy, given the survey results, I think every company should take a second (or third) look at the policies and controls they have in place. And SailPoint has several resources available to help you, such as our on-demand webinars (including ones on “Five Identity Risks You Need to Know About” and “Managing What Matters: Taking a Risk-based Approach to Identity Governance”) and the 2^nd edition of our Identity Governance Buyer’s Guide.

The IT director of a nonprofit organ donor center for more than 200 hospitals in Texas was fired in November 2005. At the time of her termination, the employee was informed in writing that all her access rights had been revoked. The company also took steps to lock all administrator accounts to which she was known to have access. Despite such steps, the terminated employee still managed to access the company’s network from her home via a VPN account that she set up previously without anyone’s knowledge.

Once inside the network, she used an administrator account belonging to another employee to log into several servers, including the company’s organ donor database server and main accounting server. Over the next several hours, she then deleted donor records, accounting invoice files, database and software applications, backup files and the software tokens needed to run some applications. In a bid to cover her tracks, the ex-employee manually deleted all logs of her VPN sessions. She also disabled the activity logging functions on the database and accounting servers – making it impossible to identity the individual files and applications she deleted.

What makes this case really interesting is that the sabotage occurred even though the company took reasonable steps to handle the terminated employee. The company immediately revoked the employee’s access privileges after terminating her and disabled all administrator accounts to which she had had previous access. So what more could a company do to prevent incidents like this? Here are some ideas:

• Formalize your approach to identity governance by building an authoritative repository of all users and their access privileges – mined from all critical systems. Without centralized visibility, there will always be blind spots, as the situation above illustrates. Statistics show that the average employee has 35% more privileges than they need – so mine the data to find out.
• Once you’ve centralized your data, you can automatically scan it to detect anomalies and policy violations. For example, accounts that don’t map to an active employee in the HR system can be flagged as “orphans” and duplicate accounts (employee with more than one account on any system) can be flagged for immediate remediation.
• Put in place consistent, repeatable processes for business-level oversight of access privileges. For instance, you can require that any change in employment status (termination, transfer, promotion, etc.) automatically triggers a review of all of that employee’s access privileges by his or her supervisor. In the case above, this would have resulted in a comprehensive report of all access privileges held by the fired IT director, with the ability to revoke these privileges at the click of a mouse.
• Consider using privileged user management (PUM) tools like Cyber-Ark to deal with “shared” and administrative accounts. These accounts are particularly troublesome because they are anonymous (e.g., UNIX “root”) and don’t map to a specific employee. With PUM tools in place, organizations can tightly control access to privileged accounts and track, monitor, and log every activity performed by employees using privileged user credentials.

Additionally, consider integrating PUM tools with identity governance solutions to ensure complete visibility and control over all user access privileges. For example, privileged accounts under management by Cyber-Ark can be imported into SailPoint IdentityIQ, displayed in access reviews, and can be used to escalate an employee’s risk score based on his or her access to privileged accounts.

How do you manage the access rights of privileged users?

But, do these approaches work? Even with the alphabet soup of regulations around the globe, we still see “compliant” companies reporting major breaches. Why? I believe many companies lost sight of the original intent of the regulation (risk management, security, data protection) because they were so focused on following the letter of the law to pass the IT audits. As a result, it’s pretty common to see companies investing significant resources into achieving literal compliance, but sometimes, in their zeal to be “compliant,” these firms push security (and common sense) to the side. The goal of proving compliance becomes the main focus of many companies, at the expense of holistically assessing, preventing, and mitigating risks.

The flip side of the debate about regulation is to let the free markets drive good corporate governance. The theory is that companies who “allow” security breaches will lose brand value and customers, and therefore will approach security and privacy protections as good business strategy. However, as a number of analysts and industry watchers have pointed out, breach disclosures don’t always affect revenue or stock prices. The TJX data breach was one of the biggest, costliest and most publicized breaches ever – yet customer and investor confidence in TJX remained largely unshaken in the aftermath. TJX’s stock was worth about $30 per share when the breach was disclosed, and its closing price a year later was just over $29. And during the one year following the breach, TJX reported that comparable-store sales increased 4%.

We probably all agree that strong corporate governance is necessary – and in fact, I’d suggest it’s a strategic differentiator for many companies. But as I talk to companies approaching the same problem from different perspectives, I still wonder: Should we let free market forces determine what corporations do, or should we mandate the “right” behavior to protect consumers and stakeholders?

What do you think?

I’m always interested in what themes get the most play at RSA. This year, I’d have to say that “the cloud” wins the contest hands-down. Cloud computing was ubiquitous – a centerpiece of most keynote addresses, a feature on booth signage throughout the show floor, and not surprisingly, the butt of quite a few jokes (example: let’s do a tequila shot every time we hear the word “cloud”).

In the show’s opening keynote, RSA’s CEO Art Coviello declared cloud computing “the most over-hyped but underestimated phenomenon in history” (borrowing a phrase from Nicholas Negroponte). Coviello went on to say that cloud computing presents us all with the rare opportunity for a “do over” – to be present at the rollout of a new wave of computing with security built-in from the get go. I have to admit I raised my eyebrows at this turn of phrase. I predict that the evolution toward cloud computing will be moderated and incremental – and not a “do over” by anyone’s definition.

Another interesting observation about this year’s show is the continued (and perhaps even bigger) blend of public and private sector speakers. Past years’ shows have featured Michael Chertoff, Melissa Hathaway, and Al Gore. This year’s speakers included Secretary of Homeland Security Janet Napolitano, Howard Schmidt, the U.S. cybersecurity coordinator appointed by President Obama in December, and Robert Mueller, director of the FBI. On Tuesday, Schmidt presented a keynote address and hosted a heavily-attended town hall meeting. In both of these venues, he conveyed a very measured and pragmatic approach to addressing the cybersecurity responsibilities of the federal government. He said more than once “there is no silver bullet.”

During an entertaining Q&A session with the audience, Schmidt revealed the following about his agenda:

• He’s not a proponent of more regulation to drive better security practices. The one exception he mentioned was the area of data breaches (where there is pending legislation).
• He assured the audience that any measures taken by the Fed will respect privacy and civil liberties issues.
• He admitted that the Federal Information Security Management Act (FISMA) is archaic and needs to be changed. He mentioned that some changes are being rolled out this year.
• He believes that we, as a society, are making real progress with cybersecurity. He pointed out that there are fewer devastating attacks and service disruptions than in previous years.

Unfortunately, Schmidt’s position is made all the more challenging by the bureaucracy and interest groups he will have to navigate in Washington – it’s not just a matter of fixing problems and fighting the bad guys. On a positive note, the amount of focus being put on the issue of cybersecurity at the federal level can only be a good thing.

Additional key findings from the survey include:

• More than 50% of those surveyed confirm that IT is responsible for ensuring the security and managing the risk around sensitive applications and data.

• 42% reported shared responsibility and accountability with business managers for the access certification process.

• 61% of the respondents report that they use manual or homegrown processes to manage a company’s access privileges.

• Only 14% of companies believe they have adequate controls in place to address the risk of insider threats in 2010 (which is a similar statistic from our May 2009 Market Pulse Survey).

The complete Market Pulse Survey results, as well as an in-depth analysis of what they mean, is available here.

In the midst of this publicity storm of insecurity, the U.S. government has stepped up its focus on information security and privacy. Currently, two bills – the Data Breach Notification Act and the Personal Data Privacy and Security Act of 2009 – are making their way through Congress. The Senate Judiciary Committee passed the two bills in early November, which are now headed for a full Senate vote. The first bill is designed to protect consumers from having their personal information lost, stolen or exposed (similar to California’s landmark CA 1386 law). The latter bill establishes guidelines for protecting sensitive information and creates the Office of Federal Identity Protection inside the Federal Trade Commission.

It will be interesting to see whether one or both of the U.S. laws pass. Over the past 5 years, similar legislation has been proposed but failed to pass in the U.S. Congress. Proponents see great benefit in unifying various state breach notification laws into a single national law. Opponents fear the law imposes requirements that are too onerous for businesses to bear, in addition to creating more federal bureaucracy to oversee the mandate.

Given the number and frequency of data breaches, I believe that 2010 could be the year we’ll see a national privacy and security law in the U.S. There are clear benefits to simplifying and standardizing laws around data breach notification. The proposed bill will establish a single national standard to replace the patchwork quilt of state data breach laws (and will provide regulations for the few states that have no such legislation). And it will also establish some pretty stiff enforcements and penalties, which will satisfy those looking for real “teeth” in the law.

I have the least confidence about Congress’ ability to pass the Personal Data Privacy and Security Act. This law is more prescriptive than the Data Breach Notification Act. It would require all companies handling sensitive data to implement specific risk assessment and vulnerability testing measures (including controlling access to sensitive data, detecting and logging unauthorized accesses to the data, and protecting data while in transit and at rest). It also establishes a new office of the FTC to act as a watchdog.

Because the Data Privacy and Security Act federally mandates security controls, it’s bound to be a lightning rod for debate. No one disagrees that companies need to put in place the necessary controls to prevent security breaches, but there is volatile disagreement over the role of the federal government in forcing companies to comply with specific security practices. Many will invoke Sarbanes-Oxley as an example of the ills of overly aggressive federal regulation of private industry. Proponents will point to the fact that businesses are not doing a very good job at guaranteeing security and privacy left to their own devices.

What do you think? Should laws mandate how companies address and prevent security breaches, or should companies be allowed to address these on their own?

The report goes on to show that internal fraud committed for financial gain ranked lowest in the number of incidents per year reported by the respondents. But it’s import to also note that out of the 11 types of internal breaches reported, those ranked 3rd-6th were: excessive privilege/access control rights; deliberate information security policy violations; unauthorized access to systems and confidential information; and data loss through external attacks by previous employees. Any one of those data breaches could put a company at risk of being non-compliant and could cause major damage to their brand reputation regardless of whether the employee’s intent was to make money by compromising the data or not. Particularly in an environment of high churn, many disgruntled employees simply want to create headaches for their employer (or former employer).

IDC asked companies to report on the financial impact of each internal incident. The respondents in the United States reported an average cost of about $750,000 and UK respondents pegged the cost at about $575,000. That’s no small chunk of change! IDC emphasizes that “out-of-date and/or excessive privilege and access control rights for users are viewed as having the most financial impact on organizations.” Those two categories of access privileges – orphaned account and entitlement creep – are chinks in a company’s risk management armor.

The good news is that identity governance tools can identify and remediate them quickly. On average, our customers find that 20-35% of user access rights detected are inappropriate when they conduct an identity audit with our 30-day Identity Risk Assessment offering. Eliminating the “low hanging fruit” for internal breaches is the first step toward proactively managing IT risk. It also minimizes the possibility of accidental data breaches through incorrect access rights. If you haven’t taken a deep look at your company’s enterprise identity data recently, I’d encourage you to do so. A potential $750,000 incident is simply too costly to ignore.

The application code in question was unquestionably a significant asset at Goldman Sachs (analogous to Coke’s secret formula or KFC’s secret recipe). But protecting that asset is not as simple as locking the formula in a vault. Protecting source code is very difficult. Most systems of source code control wouldn’t have helped here at all. It’s really not common practice to provide “isolation” in these tools. The average programmer has access to all of an application’s source in order to build and test just their part of the code. Privileged users like programmers tend to have wide-ranging access to technology assets, so they represent higher risk employees that must tracked and managed more diligently.

That said, proactively approaching risk management can help organizations prevent this type of offence from taking place. Part of the process of identity governance involves truly understanding “who has access to what” and clearly identifying where that access introduces measurable risk. In this case, had Goldman Sachs understood the relationship between Aleynikov’s access risk posture and his current “status,” they may have been able prevent such an incident from occurring. The good news is they caught him, so something worked – but we won’t know for awhile how much damage he was able to do.

Honeypots by their very nature are fake computers that nothing should ever attempt to contact. Their sole purpose in life is to note any connection attempt and report it for immediate investigation … A honeypot can’t be guaranteed to catch an internal hacker before any damage is done, but it’s one of the best chances you’ll have.

The article was particularly interesting to me because it raises a philosophical question about employer trust. No doubt about it, the insider threat is very real. We read about workers committing acts of theft, fraud and sabotage on almost a weekly basis. Given this very real threat, most organizations have put in place security measures and internal controls to reduce the probability of insider threats occurring. But to what lengths should employers go to detect potential fraud?

I can see both sides of this argument:

In favor of honeypots: Most companies admit that they can only detect a fraction of all fraud cases. And when fraud is detected, it’s usually too late. For this reason, an early warning system to detect potential fraud is a good thing. If employees are trolling around trying to access seemingly “sensitive” systems, you want to know about it – before damage is done to real assets.

Against honeypots: Creating a honeypot is a form of entrapment that is deceptive and ethically questionable. Furthermore, you can’t always assume that criminal activity has occurred – curious employees could be harmless. Perhaps a bigger issue is the legality of monitoring employee activity. In countries with strict privacy laws, such monitoring is illegal, and in even in countries where it’s allowed, it should be part of company policy that is clearly spelled out to all workers.

Perhaps the best approach is a pragmatic one. Companies should focus their energies on proactively protecting critical business assets. This includes a range of preventive and detective controls: limiting user access to what is absolutely required for workers to perform their jobs; limiting the use of shared or privileged accounts; and requiring supervisory review of all access privileges. Monitoring of worker activity should focus first on the actual resources you care about protecting. If you do decide to use honeypots, you should treat them as additional tools in the arsenal – as supplements to your baseline foundation of controls.

What do you think?

Here’s what we learned from the responses of 125 directors of IT at Global 2000 companies:

• Only 14% of organizations feel they have adequate controls in place to address the risk of insider threats.
• 57% of companies don’t have enterprise-wide visibility into their company’s user access privileges.
• Although almost half of the respondents have faced a major layoff in the last six months, 42% of the responding companies do not have the ability to promptly remove user access when a layoff occurs.
• Nearly 50% of the respondents either do not have, or underfund, the IT risk management function.

My overall take away from the survey is that companies simply do not have the transparency they need to effectively manage worker access to sensitive data and applications, especially in this time of escalated business risk (constrained IT budgets, high workforce churn, worker malaise, etc.).  Verizon’s latest data breach study reveals the grim fact that in 2008, more electronic records were breached than during the previous four years combined. What caught my interest about that report was the conclusion that mistakes and oversight failures hindered security efforts more than a lack of resources. In other words, budgets are only part of the equation – a disciplined approach to managing identity risk that includes the right monitoring and controls can go a long way in mitigating the insider threat – without breaking the bank.

To end on a positive note: there was a glimmer of hope in the SailPoint survey results. I was encouraged to see that two-thirds of the companies now have an IT risk management function within their organizations, even though that function may not be allocated budget. I’m optimistic that organizations are beginning to put the right level of focus on this issue and are making progress in building transparency and accountability into their identity management strategies.

Stay tuned for our third Market Pulse Survey on this topic later this year. I hope we see progress on many fronts.