I once worked at a company where my network login name was “Geneva.” It had nothing to do with me, as I inherited the login from a woman who hadn’t worked there for two years. If you are involved with enterprise cyber security, that story probably makes you shudder a bit. Identity management is a key factor in keeping a system secure, but it’s also one that relies on employees following procedures, which introduces the inescapable potential for human error.
People, even those who specialize in IT, can become complacent over time. In a big organization, it’s virtually impossible to manually check all the identities of users every day, ensure only the right users have access, and maintain the system. Adding on the task of checking in with employees to make sure they’re changing their passwords isn’t a possibility. However, leveraging technology as a method to help assess risks and fix issues with your identity management process is a good way to begin changing your practices.
Doing a Company-Wide Identity Management Audit
Identity Management is a cornerstone of good network security. Your employees are a big part of that network, and how they behave will determine if you’re staying secure. While your IT people can manage access, there’s only so much they can control. One thing they can’t is human behavior.
The first component of managing your security is understanding where your highest risks lie, and usually, that risk is in your personnel. 20% of corporate employees said they would sell their network password for under $1000. Finding those risky employees is something that can be accomplished by doing a company-wide audit via Remote Risk Assessment (RRA).
Using the call center to seamlessly integrate RRA into your work process, you can set up short, automated interviews with employees. These interviews can cover standard identity management procedures. They will ask employees questions about their own identity management practices, using proprietary technology to analyze the human voice for risk. Employees who measure high risk for identity management can be flagged, and a deeper discussion of this fact can take place with them. Then, areas of the business with the highest concentration of flagged files can get the most attention first.
This risk heat map will allow you to get a quick review of your security at a basic personnel level. Using this type of technology speeds the process of finding human error so you can correct it. As human error is the most common cause for identity and credential theft, this process can be used to stem some of the problem, but it doesn’t stop there. Another crucial part of reducing your system risk is finding problems at the system level.
Fixing a Bad Identity Management System
There are a few standard things you need to do for an identity management overhaul. Start at the beginning. Go through records for employees who have left the company and ensure that their credentials no longer work. Next, look at employees who might have more access than they should and reduce that access appropriately. Administrator level access should only be available to key personnel.
Once you have general access under control, check your system for these issues:
- Are there backdoors that employees can use to gain access to programs? Look for these doors and close them. If one program links into another program, the employee should be prompted for a password before entering the new program.
- Is there a master password system? Having a lot of passwords allows you to diversify the access risk, but it also increases the risk of lost or poor passwords. Having a master system, where one password covers several programs, can help reduce this problem, but the sensitivity of the data needs to be considered as well. If you have two systems with identical data, using the same password for both may not be an issue.
- What has access to your network? These days, it isn’t just about who accesses your network but also how they access it. Can employees get onto your network via personal laptops, smartphones or tablets? That’s something you may want to reconsider if you have sensitive data.
- Do you have automated password change requests set up? The more sensitive the password, the more often the password should be changed. Ensure the system prompts employees to change their password periodically and restrict their access until they do.
- Is your password criteria strong enough? It seems absurd, but the most popular password in the world is still “password.” While some of the blame for that is on the individual, some should also be on the identity manager who allowed “password” to be chosen. The ideal length of a password is 12 to 14 characters and includes letters, numbers and special characters.
- Do you audit your identity management system regularly? Time breeds complacency. After a short period of sticking to security protocols, many individuals will start to let those standards slide. To prevent this, consider doing yearly compliance reviews, where you use RRA to help you check in on practices and offer training and system updates to problem areas.
Identity Management isn’t a one-time thing. It’s an ongoing process that’s going to require consistent management. Using processes like identity management audits, automated password changes, and network access checks can simplify a complicated task while keeping your network secure.
Implementing RRA as a first step will help you better understand your own organization and risks that may not be identified via other methods. AC Global Risk offers this technology for a wide range of enterprise uses and can implement an RRA program rapidly, remotely and in any language with high accuracy. For more information, contact us today.
Image Source | Unsplash user Thomas Kvistholt