Imagine a castle fortified with locked doors. Sounds secure, right? What if you left the keys in the locks? Alternatively, imagine that you could not remember who has the keys. That is one outcome that results from inadequate access governance. Before we go any further, let’s make sure we are on the same page with an access governance definition.
What Is Access Governance?
As per Network World:
Access governance is best described as “governing who has access to what within an organization.”
This short definition illustrates three critical aspects to the practice. First, you need an oversight and control element (i.e., governance). Second, you need a list of users to govern (i.e., the “who”). Finally, you need to know what systems and resources are in scope (i.e., the “what”). With that definition in mind, let’s take a look at the consequences of access governance failure.
1) Lost Time Due to Manual Processes and Rework
What happens to your managers and employees when access governances fail or operate inconsistently?
In a word: rework. Your employees will get “reminder” emails from IT or security telling them to carry out access governance again and again. Nobody wins in this scenario: IT is seen as the “cop,” and everybody else is forced to redo work.
Lost work time due to reworking access governance is just one part of the story. The other part of the story is the message it sends to employees. Poor access governance tells them that security practices are not a high priority for the company. That is not the message you want to send to your employees.
2) More Audit Findings to Manage
You want to run your business, make sales, and keep growing. If access governance fails, you are going to face another roadblock: audit findings. In fact, there are two specific ways that access governance audit issues can hurt you.
Your auditors may recommend a complete review of your internal controls relating to technology. After all, it is likely that weak access controls are a symptom of inadequate security controls. For managers, this review may take much time as you review documents, sit through intense meetings, and work to make sure no stone is left unturned. To be fair, you will benefit from improving your security program.
For your career, access governance audit findings may hurt you further. Why? In large companies like banks, auditors send their reports to executives and expect to see action plans to address the findings. If your department is found deficient in management oversight, executives will wonder about your management capabilities. Nobody wants to face that kind of awkward conversation.
3) Increased Fraud Risk
When access governance fails, fraud and theft become more likely. For example, a disgruntled employee may take a customer list with them when they move to a competitor. A Washington Post article found employee data theft (or inappropriate access) was a severe problem:
Nearly 60 percent of employees who quit a job or are asked to leave are stealing company data, according to a report by the Ponemon Institute, a Tucson based research group. [Based on] interviews with 945 adults who were laid off, fired or changed jobs in the last year.
Sixty-five percent of those who took data from their former employer grabbed e-mail lists. The next most frequently stolen data included non-financial business information (45 percent), customer contact lists (39 percent), employee records (35 percent) and financial information (16 percent).
When you count the costs, they start to add up. Lost customers directly hurt revenue. Other lost data can damage the company’s reputation in more subtle ways. Fraud is a severe problem to eliminate. Implementing effective access governance matters because it makes fraud and data loss much less likely.
4) Increased Risk of Employee Errors
Earlier, we covered the rework problems caused by access governance failures. In fact, access governance failure causes another productivity loss: employee errors.
This problem often arises when employees change job roles. Let’s say you have an ambitious, hard-working customer service representative. They have studied coding on their own to grow their value and they successfully land a software job. However, if that newly promoted person keeps their old access privileges — like access to live customer data — errors could result. If the developer runs an experimental program on their computer, they might accidentally run it against live customer data and corrupt a database. You can avoid this kind of expensive failure.
The final consequence of access governance is coming up next:
5) Increased Risk of Malware, Hacking And Other Cybersecurity Incidents
Remember the Titanic? The ship had watertight compartments. Therefore, it could keep sailing even if one section flooded. It is a great feature that saved some lives in the disaster. Poor access governance is akin to dismantling those watertight compartment doors: you will be flooded with cybersecurity incidents much more quickly.
Let’s connect the dots between an access governance failure and a cybersecurity incident:
A hacker manages to break into the user account from a junior employee. By taking control of that person’s computer, they can gain access to nearly every other system in the company. Before you know it, you are facing an expensive ransomware demand.
After the cybersecurity incident is solved, executives will ask IT to explain the incident. In all likelihood, poor access governance will be part of the cause.
The Way Forward to Better Access Governance
Failing in access governance is no longer acceptable. How can you avoid these problems? Start by reviewing your identity and access management program. In our experience, several components need to be in place to achieve a secure solution. You need training for employees, easy to follow processes, and software to automate the activity.
To avoid lost productivity and audit problems, look closely at a solution like Compliance Auditor. With the IT audit compliance history feature, painful audits will be gone — simply send the reports to your auditors. Employee errors and hackers are not going away anytime soon — what will you do to prevent access governance failures this year?