Risk without reward

How fraud at Societe Generale bank underscores the business need to control internal IT threats

Perhaps some good may come out of Kerviel's apparent fraud and Societe Generale's blindness to it: The incident may spur other companies' executives to talk about risk management and IT controls inside their businesses.Organizations tend to think of access as being binary in nature: You get access to it all, or you don't, says Ian Walden, professor of information and communications law at Queen Mary, University of London. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated."

To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk. But IT departments and business managers have yet to find a way to wrap security into business processes so it is not an impediment, Walden says.

In the Ponemon Institute study, only 30 percent of respondents said their organizations make sure user access policies are validated and checked. Meanwhile, accountability for governing access to systems is diffuse. Twenty-nine percent of respondents said business units were most responsible, followed by application owners, corporate IT, human resources, information security and compliance organizations.

EMA's Crawford says companies can begin to get a better handle on access risks by asking some basic questions. These include:

* What kind of behavior anomalies would indicate you may have more risk exposure than you realized, and can you detect or recognize them?

* Do high-level or high-risk employees have privileges that are so broad that checks and balances among individuals' duties become negated? How effective are the controls assuring that such segregation of duties could be enforced?

* Are your control systems or risk indicators subject to subversion? Are there ways you can enforce more effective controls and still be able to capitalize on new business opportunities?

"Businesses are just now beginning to awaken to the controls within the IT environment," Crawford says. "If you're betting the farm and strategy on the IT controls, it behooves the organization to ensure that those controls are reasonably resistant to subversion."

Peter Sayer is Paris bureau chief with IDG News Service. CSO Staff Writer Katherine Walsh and IDG News Service London Correspondent Jeremy Kirk contributed to this story.