We all know that the inside threat continues to grow. And as our infrastructure continues to increase in complexity, it becomes even easier for the insider. Just look at the recent headlines pulled from the past couple of months – companies like Microsoft, Apple, Tesla, Nordstrom and Micron Technology have all made the news because an insider was able to either divert funds through fraudulent transactions or they were able to steal intellectual property worth billions.
There are also countless headlines where an external threat is able to steal employee credentials through phishing campaigns. Once they are able to log in as an employee, they become an inside threat. And as Ponemon found through their research, the insider is responsible for 60-80% of all breaches. And the total average cost for an inside breach is $8.76 million.
One of the issues is that corporate governance has largely been based on trust:
Trust that employees, contractors or anyone else working on behalf of the company will:
- read and remember company policies
- hold themselves personally accountable for upholding those policies
- and, apply those policies as they perform their daily activities
Trust that all the critical risks have been identified
And the controls they have designed to mitigate those risks will:
- Find errors after they have occurred (detective controls – i.e. – review and approval workflows, surprise cash counts or taking inventory)
- Prevent errors, fraud or risks from occurring (preventative controls – i.e.- employee training, locking the building or segregation of duties)
- Correct any errors or incidents that threaten company assets (corrective controls – i.e. – notifying a supervisor or the person accountable, disciplinary action, etc.)
We all know this approach has significant limitations:
- People are human. They cut corners, make mistakes and their personal goals and objectives don’t always align with the company’s
- Management can undermine the control environment – through inconsistency, complacency or overriding controls that get in their way
- The control environment constantly changes and is difficult to keep up with: Regulations, Workforce, Business priorities, and Business applications
You need to monitor and manage risk, compliance and performance, in real-time, across all of your business critical applications.