Courion Corporation

UBS: the Business Consequences of Ignoring Access Risk

Tweet

 

The recent multi-billion dollar data breach that occurred at Swiss finance company UBS underscores, yet again, the critical need for organizations to better understand where their greatest sources of information risk reside, as well as who is accessing sensitive data, how are they doing it, and what are they doing with it.

Managing access to applications and information is a growing challenge every organization confronts. With increased access to information comes increased risk to the business, a risk that increases dramatically if they go on using the same old day-to-day practices they’ve always employed when it comes to accessing sensitive data and systems. And this is not the first time for UBS. Last year they had a significant data breach resulting in $10 million in fines. It is often not good enough to just manage access policy with occasional scheduled reviews, organizations need to track user activity to make sure that access to the most sensitive data is granted only to those who need it. It’s important to make sure that those who have the “keys to the kingdom” – such as UBS Trader Kweku Adoboli − are overseen by a strategic approach to access risk management.

Companies should ask themselves:

• Are we adequately tracking employee activity to understand irregular behavior?
• Do we know what information and systems need the most protection and who has access to them?
• Do we have the comprehensive, near real-time visibility into the access risk and business risk associated with unmonitored access?
• Does our IAM solution serve up the necessary data required to analyze business risk?
• Can our IAM solution analyze access risk fast enough to remediate inappropriate or unnecessary access in a timely manner?

While no one can predict or completely stop data breaches, many can be prevented and most can be thwarted before they escalate to the level of a $2.3 billion loss, as in the case of UBS.

We as an industry share the responsibility to tackle this issue and make it easy and cost-effective for corporations to better manage their information risk.