This story is getting quite a bit of press. By far the best accounting of the story is from CSO Online which is reprinting the Computer World Article.
In short, former employee returns to the office, hours after resigning, electronic card key is still active, logs onto two separate computer systems, initiates three wire transfers totaling $9.2M. According to the story the only way it was detected was because a suspicious janitor saw him coming in after hours. The person is still at large. The money has been returned. Quite a few folks have pointed out what Cal Water should have done – access control, employee off boarding, destroying accounts, etc. etc. It is all true but how do you break it down into a business case?
The California Water Services Company (Cal Water) is publically traded. Last year they did about $410M annual revenue with 929 employees and approximately $40M income. They had cash assets around $13M. I’m sure someone would have noticed a huge $9.2M hole in these numbers even if the Janitor didn’t notice the former employee. Ironically in their latest 10k filing, prior to the event:
Our business is dependent on several complex business systems, certain of which are owned by third parties. The business systems must function reliably in order for us to operate effectively. Among other things, system malfunctions and security breaches could prevent us from operating or monitoring our facilities, billing accurately and timely analysis of financial results. Our profitability and cash flow could be affected negatively in the event these systems do not operate effectively or are circumvented.
None-the-less $9.2M to a company with these numbers is huge hit, possibly something that would have taken years to recover from. If you were trying to create a business case for them, $9.2M across all your employees is about $10k. Not all these employees are head office personnel – only about 400 are supervisory, non-union, so it is probably like $20k-$30k per person. Presumably it would cost far less on a per employee basis to implement access control and de-provisioning systems - both physical and logical. Let’s say it would be $1M investment. That is a mere $2500 per person (compared to $30k) or approximately 8%. Would you consider they had a 8% chance one of these employees would do this? This doesn’t even take into account the “soft costs” like public embarrassment and drop in stock prices.
But a malicious insider is so rare. right? The CSO article states:
Security analysts have been cautioning about the insider risk for a some time, but an increase in incidents highlights the continuing challenges companies face in dealing with the issue. A recent survey by SailPoint Technologies of 125 large companies found that eight out of 10 of the businesses were concerned about insider threats.
At the same time, though, about 57% of the respondents said they did not have the visibility they needed across their networks to prevent insiders from abusing their access. Less than two in 10 felt they had the controls needed to deal with insider threats.
The threat is substantial, the stakes are high. The market opportunity is real. The question is really how do you make it mainstream. How do you get a stalwart company like Cal Water to see the need?
Posts
2 comments:
I've been talking about this for a while. How does one prove the value of de-provisioning. I can't show it in ROI, only in how I can prevent loss from happening. While this is a real figure, it is not necessarily one that can be placed on a balance sheet.
Thanks for commenting Matt. The only thing I've ever been able to do is either include de-provisioning along with provisioning and maintenance as "identity transactions". Each of those has a real labor cost and productivity cost.
De-provisioning as you say is hard on its own because it is completely based on loss and risk of that loss happening. The loss can be very high and potentially take down a business - think any industry whose lives and dies on IP. I guess it up to the culture of the company to define what they think the chances are. If the stakes are high enough even a small chance is costly (5% chance of a $5M event is still $250K)
Post a Comment