The Perfect Storm for Insider Threats
It’s no secret that the economic downturn has forced record numbers of layoffs, mergers, acquisitions, and divestitures. Combine all this corporate restructuring with restricted IT budgets and other strained resources and you get what SailPoint Technologies is calling a “perfect storm” for fraud and theft from employees.
In a survey conducted in April 2009, SailPoint asked 125 companies about their approach to identity governance and their concerns regarding insider threats. Not surprisingly, 86% of those polled said they are concerned about insider threats. (Among the healthcare and insurance companies who responded, virtually all (99%) are concerned about this type of threat.) A mere 14% of companies participating in the survey feel they have adequate controls in place to address the risk associated with fraud and theft from employees.
The problem is multifaceted. First, as I have posted about before, companies aren’t allocating adequate resources to risk management. About 50% of the companies in the SailPoint survey do not have, or underfund, their IT risk management activities. In addition, identity governance has its own unique set of requirements for access controls among employees, partners, and customers. Of the 125 companies in the survey, 28% admitted they lack critical access controls and could be more exposed to security breaches than they think. Another 20% said it’s simply a matter of time before an internal breach occurs at their company.
“The survey showed that companies lack the necessary transparency to adequately manage worker access to sensitive data and applications,” says Jackie Gilbert, SailPoint’s vice president of marketing and cofounder. “Since we conducted our first survey last November, close to half of our respondents have undergone major layoffs. In light of this heightened risk, ‘what you don’t know’ can have real consequences on businesses, and executives are starting to realize that. Our survey clearly showed that executives are rightfully concerned, and I suspect we’ll see a more disciplined risk management approach for user access control in the coming months.”
