Time is of the essence: How reactionary access risk management can lose you money and reputation

Authored by Cameron Wilson, Product Marketing Manager

Even though the pandemic made it feel like time is a flat circle, this is not true, especially regarding access controls, for which timing is vital. So what are access controls, you ask? Access controls certify authentication (users are whom they state they are) and authorization (they have suitable access to company data). 

When protecting a company from fraud and breaches, and maintaining a zero trust environment, too many times, they only address this crucial part of Identity Security during an audit. Having strong access controls is imperative to preventing risks from becoming realized.  

This imperative was codified in 2002 when, after a slew of financial reporting scandals, the government passed the Sarbanes-Oxley (SOX) Act, of which section 404 stated that companies must implement the right level of controls to ensure that the data feeding the financials are complete and accurate with the overarching goal of protecting investors. An essential requirement of SOX 404 was to implement IT General Controls (ITGC). There are four main sections: Access Controls, Change Management, Operations, and End User Computing.  

The lynchpin of ITGC is access controls. Access controls are only adequate if you can trust the data reported to shareholders, making the ITGC environment reliable.  

Even with SOX 404 implemented, companies often come to the party late to these critical governance controls – and pay the price. The numbers are alarming indeed: 

• 84% of breaches come from insider threats 
• In the last two years, insider threat incidents have risen by 44%  
• Typical organizations lose 5% of revenue to fraud on average

But it’s only when you see the impact of actual breaches that you can grasp the severity of possessing a lack of access controls. For example, in 2021, a corporate executive was sentenced to 70 months in prison for conducting a $30 million embezzlement scheme by writing checks to himself from company accounts and then transferring those funds to his accounts. This fraud could have been avoided if his company had adequate access controls. 

Indeed, the sooner a company identifies risk, the less it will cost them. For example, according to a Ponemon 2020 Cost of Insider Threat report, an insider incident discovered in less than 30 days costs $7.12 million. Still, if not found within 90 days, the cost is $13.71 million.  

How can your company protect itself proactively? 

ARMing your Identity Security  

With threats abounding and time being of the essence, it is necessary to bolster your identity security environment with effective and robust access controls. SailPoint’s Access Risk Management (ARM) is a powerful combatant to access risk. No ERP Access Control product is as easy to implement with the same rapid time to value. Because ARM is entirely cloud and automated, you can be up and running in 60 minutes or less —compare that to on-prem solutions that can take weeks to implement. One feature of ARM that is particularly crucial to mitigating risk is our Separation of Duties (SoD) capabilities that improve compliance and give you complete confidence in managing SOX requirements. In addition, our Emergency Access Management (EAM) feature provides seamless control over elevated access requests.  

These are a couple of the critical components of ARM that will help you protect your company’s bottom line and reputation. Do not leave access risk to chance. Protect the perimeter while securing the interior. 

Are you interested in learning more about Access Risk Management? Check out our product sheet and learn how ARM can proactively protect you from risk.