Recent news reports on City trader Akweku Adoboli, who cost UBS billions of pounds through unauthorised activity, have questioned whether the qualities he was hired for were in fact early warning signs of the rogue trader he would later turn out to be.
Adoboli's competitive nature, level head and financial self-interest have made the headlines, whereas lax identity and access management procedures, and irresponsible risk management systems, which allowed him to temporarily succeed in his undertakings, have come away fairly unscathed.
Without wanting to trivialise the situation, any sports fan will be acutely aware of the dramatic and controversial effects a red card can pose when translated into a business context. Auditing firms are the closest we get to referees in the commercial world, and they hold the red and yellow cards in business.
Organisations that do not heed the warnings of an auditor's yellow card risk slipping very quickly and publicly towards the red. The Adoboli scandal is a timely reminder of the risks employees can impose when technology is not doing its job, particularly as a red card in identity and access management can be extremely damaging to an organisation's reputation and market valuation.
Organisations need to be savvy about the risks posed by IT administrators and the privileged access rights they own. In Adoboli's case, he was reportedly clever enough to log into systems using passwords belonging to others – breaking basic access management etiquette – and getting information he was not privy to.
However, our own research has shown that one in ten employees admits that they still have access to systems from previous jobs, which is a huge threat to any business.
The silent assassin can log into a system using an anonymous privileged account and then cover their tracks by deleting log files associated with the activity. It is therefore not surprising that more than 51 per cent of IT professionals are concerned about insider threats to network security in their company's current infrastructure.
Without good control over privileged user accounts, organisations are at risk of exposing themselves to the loss of intellectual property, fraudulent or insider training, and loss of personal identifiable information on their employees and customers.
Internal risk controls, or ‘yellow cards', are not something that can be ignored either, particularly in highly regulated industries. Real-time transaction monitoring and surveillance are essential in preventing fraudulent activity, particularly in the financial sector when handling large sums of money can evidently lead to some employees questioning their ethics.
Responding to detections of unexplained or unauthorised activity is also a must in order to prevent additional occurrences, contain a situation, and for action to be taken. This is something auditors are increasingly monitoring, particularly in relation to compliance regulations including COBIT, PCI-DSS and SOX.
Without a thorough governance plan, organisations risk losing information and revenue, while increasing expense and damage to corporate reputation. By implementing an access governance plan, you can effectively balance the demands of regulatory compliance and management of access-related risk, while still meeting the demands of the business.
Kevin Norlin is general manager and vice-president (EMEA) at Quest Software