Like many in the industry, this week’s RSA-sponsored IDC report, “Insider Risk Management: A Framework Approach to Internal Security,” caught my eye. The report led with the finding that 52% of the respondents “characterized their incidents arising from insider threats as predominantly accidental.” This in turn triggered a media storm pointing to careless, incompetent or bumbling employees as a major concern. It struck me that the “accidental” theme was a little overplayed in the media, and perhaps even by the organization sponsoring the survey. From a risk management perspective, an inadvertent disclosure of confidential data can be just as damaging to the organization as a malicious data breach. Overall, companies should be looking for ways to mitigate the risk of both intentional and accidental insider incidents through proactive controls and monitoring.
The report goes on to show that internal fraud committed for financial gain ranked lowest in the number of incidents per year reported by the respondents. But it’s import to also note that out of the 11 types of internal breaches reported, those ranked 3rd-6th were: excessive privilege/access control rights; deliberate information security policy violations; unauthorized access to systems and confidential information; and data loss through external attacks by previous employees. Any one of those data breaches could put a company at risk of being non-compliant and could cause major damage to their brand reputation regardless of whether the employee’s intent was to make money by compromising the data or not. Particularly in an environment of high churn, many disgruntled employees simply want to create headaches for their employer (or former employer).
IDC asked companies to report on the financial impact of each internal incident. The respondents in the United States reported an average cost of about $750,000 and UK respondents pegged the cost at about $575,000. That’s no small chunk of change! IDC emphasizes that “out-of-date and/or excessive privilege and access control rights for users are viewed as having the most financial impact on organizations.” Those two categories of access privileges – orphaned account and entitlement creep – are chinks in a company’s risk management armor.
The good news is that identity governance tools can identify and remediate them quickly. On average, our customers find that 20-35% of user access rights detected are inappropriate when they conduct an identity audit with our 30-day Identity Risk Assessment offering. Eliminating the “low hanging fruit” for internal breaches is the first step toward proactively managing IT risk. It also minimizes the possibility of accidental data breaches through incorrect access rights. If you haven’t taken a deep look at your company’s enterprise identity data recently, I’d encourage you to do so. A potential $750,000 incident is simply too costly to ignore.