Lessons learned from Jerome Kerviel
Issues of access control are of fundamental importance to corporate risk management, perhaps best exemplified by the recent reports of the activities of Jerome Kerviel, a stock trader at French firm Société Générale who is accused of losing nearly $8 billion of his company's capital in unapproved transactions carried out by circumventing rules built into the brokerage's IT systems.
Had Société Générale been actively monitoring the access controls for its transactional systems, Kerviel likely would have been caught long before he gambled away such a stunning amount of money, the experts contend.
A major factor contributing to the continued loopholes in access management is a lack of support for improving policies and applying technologies used to govern the issue by senior management in many companies, according to the report. Some 74 percent of respondents indicated that senior management in their companies does not view access governance as a strategic security imperative. "It seems that the perception is that it's still tough to get senior executives to sign off on the necessary funding, but situations like Société Générale may help prove how big of concern this really needs to be," said Ponemon.
Another major contributor to the problem is the need for cross-organization collaboration, which complicates issues of access dramatically.
And while 83 percent of those people responding to the survey said that collaboration among business units, audit and compliance groups, and IT security departments is vital to keeping their operations in line with government regulations, 57 percent said those teams never partner to oversee access issues.
"This has to be an area of great concern, because if companies consistently score poorly on compliance audits it's been proven that this actually starts to diminish their reputation and brands," Ponemon said. "And as more organizations suffer losses, there will likely be new regulations put in place that make it even harder to operate; most businesses I know don't want more regulations, but if more people fail to create their own controls, more regulators will get involved."