CIOs struggle to defuse ‘trust time bomb’

CIOs are struggling to defuse a “trust time bomb” caused by employees morphing into super-users with enough network access to damage a business warns information security expert Jo Stewart-Rattray.

Ms. Stewart-Rattray, director of information security for national accounting firm RSM Bird Cameron, recently chaired a Chief Information Officer (CIO) meeting that examined security threats associated with user privilege policies.

“It was a hot button issue for the 16 CIOs who were gathered around the table,” she said.

“Many of them thought they were alone in dealing with this problem because it appeared to have an easy fix. At the end of the day, those people went away recognising that it is a widespread issue from which government and private sector organisations are suffering.

“The challenge is that addressing the user privilege vulnerability creates conflict between an organisation’s security and its culture. User privilege is often associated with trust. However trust alone is not a control. Without adequate controls, this is a trust time bomb just waiting to explode. This is evident in the fact that we’ve seen high profile rogue administrators come out of the woodwork recently.

“That day, 16 people went back to work to put managing user privilege policies and the related tools at the top of the action list.”

With 30 offices nationwide, RSM Bird Cameron is a national firm that provides taxation, business services and specialist corporate advisory services to clients including large corporations, SMEs and government agencies across a diverse range of industry groups.

Ms. Stewart-Rattray heads up RSM Bird Cameron’s IT and IS consulting group within the risk management division which assists clients to identify and reduce risks and vulnerabilities ranging from information security to disaster recovery. She is also the co-chair of an international task force that is charged with developing strategies to build intentional cultures of security within organisations.

Ms. Stewart-Rattray said the culture of excessive user privileges on computer networks had developed over many years. “People are accumulating extraordinary amounts of access that is not needed to do their job,” she said.

“One example was an employee who built up a remarkable level of computer network access during years at an organisation. When a new employee joined the business, the manager said to copy the network privileges held by the long-serving employee, which is a ridiculous risk.

“Cradle-to-grave user management has gone by the wayside. CIOs are starting to recognise that there is a dire need for a life cycle management of users, but they are unsure of where to start.

“One CIO said the challenge is to balance trust with an intentional culture of security. In some respects, because trust has existed historically, we are talking about an intentional change of culture, which is harder to effect. In the beginning, security is intentional and over a period of time, it becomes automatic.

“Privileged User Management is a hot topic at the moment. A central tenet of this approach is the principle of Least Privilege. Rather than making every user a network administrator, this gives each user just the network access required to perform his or her job. Even system administrators should maintain a distinction between their privileged sys admin account and their day-to-day account.

“Businesses should aim to build security into their DNA as we have with OH&S, which has been ingrained in all of us. It’s certainly not the same with security.”