Times are tough for today’s companies: layoffs, salary cuts, low morale, tired employees—the list just goes on and on. No matter how well companies think they know their employees, insider threats—intentional or not—is more probable than ever, which can lead to complex risk management. To complicate these matters, there is a disconnect between regulatory compliance and proactive risk management, according to
The second Market Pulse Survey, conducted by SailPoint in April 2009, focused on how companies are approaching identity governance during the economic downturn, with a particular focus on “insider threats.” While 86% of the total respondents—representing a number of industries, banking, financial services, insurance and health care being most common—are concerned about insider threats, they cannot adequately manage the risk of data breaches because the majority of them can't summarize which workers have access to the most critical applications and data. Of the health care and insurance companies who responded, 99% are concerned about insider threats.
The magnitude of corporate churn on a global scale, compounded by restricted IT budgets and strained resources, has created a perfect storm for fraud and theft from employees in the affected industries. Many organizations are trying to mitigate this insider threat risk. In fact, 77% of the companies SailPoint surveyed have a risk management function within their IT organization. However, nearly 30% of those companies don’t allocate budget to that function. That means nearly 50% of the affected companies either do not have, or underfund, their IT risk management activities.
The SailPoint survey also revealed that companies struggle with managing user access controls for large populations of employees, partners and customers. Of the respondents, 28% said they lack critical access controls and could be more exposed to security breaches than they think. Another 20% believe it’s simply a matter of time before an internal breach occurs at their company.
“In today’s digital economy, stealing no longer requires putting your hand in the till,” says Jackie Gilbert, SailPoint’s VP of marketing and cofounder. “Employees can now steal via electronic data they can access in the workplace, and there are dozens of outlets for selling this data on the Internet black market for profit. Insurance companies have key pieces of personal customer information—including birth dates and social security numbers—that identity data thieves seek. Insurance providers are rightfully concerned. As our survey shows, the risk factors are at an all-time high; companies are struggling to adequately secure sensitive data, making it easier for workers to commit undetected crimes. Meanwhile, the pressures of the recession—major layoffs, falling employee morale, financial hardship—are increasing motivation or temptation to commit crimes.”
