Kevin Norlin (UK): Technology's Accountability in Fuelling Rogue Behavior

Recent news reports surrounding the rogue city trader, Akweku Adoboli, who cost UBS bank billions through unauthorized activity, have questioned whether the qualities that he was hired for were in fact early warning signs of the rogue trader he would later turn out to be. Adoboli’s competitive nature, level head, and financial self-interest have made the headlines. At the same time, lax identity and access management procedures, and irresponsible risk management systems - which tipped him over the edge and allowed him to temporarily succeed in his undertakings - have come away fairly unscathed.

Without wanting to trivialize the situation, any Manchester United or Welsh Rugby fan will be acutely aware of the dramatic and controversial effects a ‘red card’ can pose on an organization when translated into a business context. Auditing firms are the closest we get to referees in the commercial world, and hold the red and yellow cards in business. Organizations that do not heed the warnings of an auditor’s yellow card risk slipping very quickly, and publicly, into the red. The Adoboli scandal is a timely reminder of the risks employees can impose when technology is not doing its job, particularly as a red card in identity and access management can be extremely damaging to an organization’s reputation and market valuation.

Organizations need to be savvy about the risks posed by IT administrators and the privileged access rights they own. In Adoboli’s case, he was sneaky enough to log into systems using passwords belonging to others - breaking basic access management etiquette - and getting information that he was not privy to. However, our own research has shown that one in 10 employees admit that they still have access to systems from previous jobs which they can still enter even though they have left (or moved elsewhere within) the organization, which is a huge threat to any business.

The silent assassin can log into a system using an anonymous privileged account and then cover their tracks by deleting log files associated with the activity. It is therefore not surprising that over 51% of IT professionals are concerned about insider threats to network security in their company’s current infrastructure. Without good control over privileged user accounts, organizations are at risk of exposing themselves to the loss of intellectual property, fraudulent or insider training, and loss of personal identifiable information of their employees and customers.

Internal risk controls - ‘yellow cards’ - are not something that can be ignored either, particularly in highly regulated industries. Real-time transaction monitoring and surveillance are essential in preventing fraudulent activity, particularly in the financial sector when handling large sums of money can evidently lead to some employees questioning their ethics. Responding to detections of unexplained or unauthorized activity is also a must in order to prevent additional occurrences, contain a situation, and for action to be taken. This is something auditors are increasingly monitoring for, particularly with compliance regulations including COBIT, PCI DSS and SOX.

Without a thorough governance plan, organizations risk losing information and revenue, while increasing expense and damage to corporate reputation. By implementing an access governance plan, you can effectively balance the demands of regulatory compliance and management of access-related risk, while still meeting the demands of the business.

By Kevin Norlin, GM & VP Quest Software UK


« Grant O'Connor (Africa): Customer Experience Management - Make or Break for Business


Dr Ian Clarkson (Global): Clarity in Reducing Limiting Project Risks »


Do you think your smartphone is making you a workaholic?