One of the benefits of attending as many enterprise IT events as I do, is the regular opportunity to learn about major vulnerabilities that businesses are facing, but perhaps not really properly dealing with.
One of these came to mind last week at an MIS Asia magazine hosted event, sponsored by Novell, in Kuala Lumpur. The title of the event was A New FSI Compliance and IT Security Era is Near: Are You Ready?.
There were some very interesting presentations from Quint Wellington Redwood Asias managing director, Malaysia, Michiel de Boer, and Novells director, identity and security solutions Asia Pacific, Anthony Turco.
Michiel, who is also a representative (VP) for the itSMF chapter for Malaysia, told the delegates there was a growing gap between the rate of technology adoption and the rate of technology control. He said it takes double or triple the energy to catch up if you are not proactive about IT compliance.
Michiel recommended that enterprises adopt a continual improvement approach and review their compliance and compliance strategies at least once a year. One point he made that caught my ear was that you can never avoid risk, you can only effectively manage it.
Terminated employees take data
One fact that jumped out at me was research quoted by Anthony which stated that about 70 per cent of terminated employees routinely departed with data from their former firm. Anthony said research showed that these employees thought that such action was entirely normal and justifiable.
It emerged from Anthonys presentation that, despite the accelerated numbers of redundancies and terminations stemming from the global economic downturn, the majority of enterprises do not have an automated system to either provision, or, perhaps more importantly, de-provision employees, when they join, or are asked to leave, the company.
Anthony showed one slide that demonstrated how any one employees access to different parts of an organisation to increasingly sensitive and valuable information quickly snowballs, the longer they hold their job. I am sure he scared the delegates with his summary of recent major data breaches in the US, including Societe General, the recent Heartland Payment Systems data breach, and the Fannie May problems with sub-prime mortgages, when he said most of the victim enterprises did not have automated systems to quickly cut exiting employees from access to company data called de-provisioning. This was despite such systems now being routinely available.
Informed readers will recall that, in the Societe Generale case, a low-level options trader executed fraudulent transactions, using his knowledge of internal policies and process controls allowed him to hide the fraud, which cost his firm about US6.1 billion (with a b).
Sign up for CIO Asia eNewsletters.