Today’s brutal economy is producing a perfect storm for massive insider threats. Shotgun mergers on a grand scale, which historically would take months of due diligence to complete, are happening over the weekend. Staggering levels of layoffs are being announced weeks before they’re being executed, leaving employees in a state of fear and uncertainty. And, just to give us more heartburn, the talking heads on the nightly news maintain a running dialogue about the economy that bounces between global recession, massive depression and the end of the world as we know it. Good thing we have “American Idol” to distract us… 🙂
This week’s “Miserable Monday” (or migraine Monday) showed the sheer volume of layoffs being announced on a weekly basis. As difficult as those job losses are to process, companies are leaving themselves vulnerable to insider sabotage if they can’t quickly remove access rights associated with those employees. Take, for example, the recent news that a fired Fannie Mae engineer allegedly planted a malware time bomb. His account access wasn’t shut down for almost two weeks after he was fired. I cringe when I hear news like this, because it’s completely foreseeable and entirely preventable.
More than ever before, the issue of good identity governance is a strategic imperative for global companies. It’s critical for these organizations to inventory, analyze and understand the access rights of their employees – and be ready to answer the critical question “Who has access to what?” Surprisingly, most companies, both large and small, can’t answer that simple question. In fact, we surveyed IT managers at Fortune 1000 companies and 66% of the respondents said they couldn’t map out who has access to what if their CIO asked them for it on short notice.
I can appreciate the pressure faced by companies planning major layoffs, but I truly believe that the better a company understands which users have access to critical corporate assets, the better it can realistically understand its potential risks if the organization acquires another company, is acquired by another company, or undergoes a significant down-sizing. Whether you’re anticipating a major corporate change or not, I encourage all the customers I see to review their identity governance strategy, making sure they have visibility across their enterprise and can answer that critical question: “Can SOMEBODY tell me who has access to what?”.