Businesses urged to solve identity crisis

21 Jun 2006

Companies of all sizes are being urged to implement user identification management to control access to important systems on their networks.

Jason Guy, senior IT security consultant with IBM Global Services, has warned that if user IDs are not properly controlled and managed, a company leaves back doors open into its network. “The problem that most organisations have is that when employees leave the business that leaves potential for them to get back into the system,” said Guy.

“A lot of companies have started to look at it at some level. The type of organisation that should be looking at it should be trying to reduce the chances of fraud and theft,” he explained. In this context, theft could mean an employee taking company information, such as customer databases, strategic business plans, production diagrams or even software code, when he or she leaves a company.

Andy Harbison, senior manager, enterprise risk services with Deloitte, said recently that theft of intellectual property is a growing problem in Ireland as some employees incorrectly perceive that they are entitled to bring data with them when they resign. “If you develop it for the company, then it’s the company’s,” Harbison pointed out.

Guy cited studies which have found that 60pc of user IDs belong to inactive employees. “ID management is something that all companies should be doing, from SMEs right up to large enterprises,” he said.

There are several different ID management solutions on the market and a company’s choice should vary according to the company’s needs, Guy added. “Organisations have to look at the risk of what they are trying to protect and the cost of protecting it.”

Aside from products, there are also processes and procedures that companies can put in place to manage users. “Make sure when you introduce a user ID to a system that you capture that information somewhere; make sure it’s approved and regularly reviewed,” said Guy. “If the person has access to the financial system, for example, but they move role in six months’ time, you need to see if they still need access that. Basically, it’s about managing the user ID from its inception to its retirement.”

By Gordon Smith