In short, the fact that plaintiffs have been sent packing comes as scant consolation given the number of regulatory and industry bodies (notably in the payment-card industry) that can levy penalties. Christopher Wolf, a Washington, D.C.-based partner with law firm Proskauer Rose who works extensively on computer-security matters, says that highly publicized data breaches have had some impact, but not enough. “Many companies now ‘get it,’” he says, “but far too many others have yet to get their arms around security. And they won’t until C-suite leadership makes it a priority.”
Even though computer breaches now carry a much more quantifiable price tag than in years past, that seems to have done little to galvanize senior executives. A recent survey conducted by The Ponemon Institute, although limited to one form of security, serves as a useful proxy for prevailing attitudes. Asked whether senior management regards access management — a term that describes the governance procedures surrounding which employees have access to what types of information — as important, 74 percent of the nearly 700 IT and security personnel who responded said no. A majority (57 percent) also said that much-needed collaboration across business units, audit/compliance departments, and IT departments is not being achieved.
Access management may sound arcane, but in truth it’s a simple concept that often lies at the heart of security breaches. At Société Générale, for example, “it was a classic case of an employee changing roles,” says Brian Cleary, vice president of marketing for Aveksa, which sells access-management software. “Kerviel moved from a back-office job to a front-office position, and brought all his former access rights with him.” As Scott Crawford, leader of the security and risk-management practice at analyst firm Enterprise Management Associates, puts it, that allowed him to “manipulate IT systems, with worldwide repercussions.”
Larry Ponemon, chairman and founder of The Ponemon Institute, a research firm specializing in privacy and security issues, says that if nothing else, the massive losses suffered by SocGen “have focused companies on who the ‘bad guy’ might really be.”
To date, Ponemon says, companies have aimed most of their efforts at external threats — “hardening the perimeter,” in security parlance. “In part that’s because hacking attacks can be measured,” Ponemon says, “so repelling them becomes a source of pride for information-security professionals.”
The demands of the Sarbanes-Oxley Act have forced companies to think more broadly about access rights and related procedures that govern who can tap what sources of information.
By better controlling access rights, companies can limit employee access to information. Such control takes two forms: software vendors including IBM, Sun, CA, Netegrity, and others sell security software that acts as a gatekeeper, identifying and authorizing users. Aveksa adds an additional wrinkle, layering on top of such software a governance piece that matches an employee’s role to the data or other resources he or she can access, essentially tackling the vexing problem of change management and auditability.