Loss of control

The ability to govern IT systems has to be of primary importance to any business.

Read time 5min 00sec

Regulatory compliance is ranked as the primary concern for corporate IT, according to a survey of its members by the Information Systems Audit and Control Association (ISACA).

In terms of achieving compliance, the number one technology challenge apparently relates to segregation of duties and privileged access monitoring.

This challenge comes down to managing and recording who can do what within corporate systems. And that's something that IT really battles with.

Why is this a battle? Because companies cannot identify the people who use their systems.

Basic blemish

IT passwords, 'smart cards' and PINs all suffer from the same fundamental flaw - anyone can use another person's smart card or PIN or ultra-strong password. And over and over again, cyber villains are capitalising on this fundamental weakness.

But the risks created by traditional credentials extend beyond the prevention of cyber crime. Without the ability to accurately identify IT users and authorise their activities, the policies that direct governance and compliance are perpetually vulnerable to being circumvented.

As there are rising incidents of credential-based corporate cyber crime, the implication has to be that sound governance and compliance needs to be based on effective identity management.

Is it governance, compliance or security that is failing to assure probity within organisations around the world?

Mark Eardley is channel manager at SuperVision Biometric Systems.

The annual reports of all sorts of organisations refer to board-level commitments to implementing best practices in governance. Such commitments are used to reinforce stakeholders' trust in the organisation, and often feature within so-called vision statements.

However, very few corporates - if any - describe themselves as primarily being a secure organisation.

In the aftermath of the recent cyber theft at Sony, the company tacitly admitted it lacked the necessary IT security skills in-house to handle the matter, and was hiring consultants to help it identify and fix the problem.

What's really astounding about this use of external resources is that it now seems the world's largest cyber theft of customer data was perpetrated by villains who did not have to overcome any major challenges due to known flaws within obsolete versions of Sony's security software.

Who's to blame?

As the losses caused by unauthorised IT access continue to escalate, is it governance, compliance or security that is failing to assure probity within organisations around the world? For example, where does corporate responsibility lie for Sony's losses relating to the hack on its PlayStation network?

Was there a lack of compliance with regulations about personally identifiable information, or were there inadequate security controls over who could access and retrieve that information? And in terms of governance, who was responsible for overseeing these competencies?

As to the immense costs of this particular cyber crime, in the last week of May, Sony said its actions in response to the breach will run to at least R1.2 billion - $171 million - excluding the costs of any legal actions that might be taken against it.

To put that figure of R1.2 billion into perspective, Sony estimates the March earthquake and tsunami in Japan will cost the company R1.9 billion. Which of the two events should Sony have been more able to avoid?

After the horses had bolted, Sony's chief executive, Sir Howard Stringer, had this to say about checking the stable doors: "Let me assure you that the resources of this company have been focused on investigating the entire nature and impact of the cyber-attack we've all experienced and on fixing it. We are working with the FBI and other law enforcement agencies around the world to apprehend those responsible."

Unquestionably, corporate cyber crime has the very real potential to inflict long-term damage on an organisation's stability and future success - two key areas of responsibility for any board of directors.

But this is at odds with another key finding from the ISACA survey: among senior managers and executives, there is a continuing lack of commitment towards taking effective measures to reinforce security within their IT systems. It seems that the issue is not only under-resourced... it's persistently swept under the carpet.

Some high-profile resignations at Sony might provide a wake-up call for any other 'negligents' who are snoozing behind the boardroom doors...

Governance implies control. Given that IT systems play such an important role in so many organisations, surely the ability to govern these systems has to be of primary importance?

If that's the case, security should be the foundation upon which governance and compliance are built. If companies can't authenticate IT users, how can they possibly control what they are doing?

Get going

Perhaps effective identity and access management (IAM) is actually the starting point for applying the criteria that determine matters relating to governance and compliance.

A real challenge here is that the existing levels of IAM control are astonishingly low. Most corporate IT systems are accessed via a password or PIN - the sort of controls that over decades of computing have come to be accepted in the same way that we accept, say, the strange quirkiness of the qwerty keyboard.

But it is these very controls that are routinely being abused by internal and external cyber villains. It might be a bitter pill and hard to swallow, but the straightforward exploitation of traditional access credentials is an underlying factor in most corporate cyber crime.

Consequently, rigorous control of who can do what may well be at the very heart of IT governance and compliance.

The ISACA survey covers a fairly even spread, among 2 405 managers responsible for security, audit and assurance, and IT.

Mark Eardley
channel manager at SuperVision Biometric Systems.

Mark Eardley has worked in the South African biometrics industry since 2006. He has directed the marketing for a local biometric brand and is currently responsible for business development at SuperVision Biometric Systems, South Africa’s oldest biometric specialist.

Have your say
Youtube play icon