What Identity Analytics really is and why you need it

What Identity Analytics really is and why you need it

IT security’s advent: the “identity” concept as key factor

Digital transformation has changed and is changing more and more business processes, job positions as well as many companies’ core activities. In consequence, it has implied a change in the way we mitigate risks.

Risk mitigation has existed long before digital transformation but it mainly relied before on manual processes, spreading risk management across departments – thus relying on silos – and on analyses over samplings. But this risk management is no longer possible with today’s world digital transformation, which often goes too fast for companies to properly adapt to new risks, especially IT risks. They most often have no visibility on what is key: their users’ access rights to their information system, user behaviors as well as existing security breaches. 

Financial costs of IT security risks, whether it be data thefts or internal frauds, are continuously rising. According to a 2016 Ponemon Institute study, data leakage costs have risen 30% between 2013 and 2016 in the 12 countries of this survey. Companies are paying at a high cost the rise of cyber risks but what about their investments to prevent these threats and mitigate these risks? 

Organizations need to ensure efficient and continuous risk mitigation and detection. They need to know the risks threatening them, including the humpan error risk which is constantly underestimated even though it was the source of 1 out of 4 data breaches in 2016 (2016 Ponemon study).

Companies are becoming more conscious of cyber risks and the need to reduce them through the IT vector but many doubt their capacity to really identify who accessed their sensitive data and applications. Indeed, the main stakes are here: knowing who has access to wgat and who accessed what in your information system. This is about cyber resilience: ensuring both cyber security along with productivity and innovation for companies.

Becoming cyber resilient means focusing on identites, that is individuals. It is both through individuals that secured digital transformation projects can unfold and that the cyber attacks happen. Risk analysis, detection and mitigation need to be built around this identity concept and that is what Identity Analytics is all about.

 

The rise of Identity Analytics

Digital opportunities should not make you forget that significant risks are generally atatched to them. Let’s take the classic icerberg methaphor. The emerged part of it represents known and visible digital and cyber risks today: ransomwares, virus, etc. But these risks aren’t the most important or threatening. The risks underwater, invisible for most of us, are the most threatening and frequent ones for organizations. You need to target these first and foremost.

With Identity Analytics you are able to answer the question “what resources can these users access, how and how are they using these access rights?” and this is what matters to ensure a secured business environment. It is about conducting in-depth analytics within a contextualized environment, with HR and technical data reconciled. Audit and internal control tasks as well as proper analyses, access reviews and clear reporting processes are at last possible in one unique platform centered on the identity concept.

 

Regarding digital transformation and cyber security, the notion of identity crystallizes opportunites, threats and solutions all in one. It is the key concept companies need to understand fully and implement. 

With Identity Analytics, companies can more easily mobilize their resources and think in a transversal way, beyond silos, to achieve both business development and efficient risk management. All actors, internal actors and third parties, need to engage in this process. This collaboration and communication between actors is all the more important as cyber incidents are hard to detect and it takes several months, almost a year, as an average for companies to detect a breach or suspicious activities. Organizations need to pay attention to unusual user behaviors for example but most of them do not have the maturity and the resources to do so.

Identity Analytics has developped over the last 10 years and is continuing its rise as companies realize worldwide that traditional cyber security methods and tools are no longer adapted and can even become harmful by exposing them to risks they cannot detect and prevent.

Identity Analytics is still misunderstood or rather unknown but this is changing. Meanwhile, significant cyber security actors have tried to hijack the Identity Analytics term and use it for other meanings and cyber security specific features such as SIEM for example. Identity Analytics isn’t about real time detection but about enabling you to better analyze risks, prevent threats and ensure compliance by focusing on your key asset and threat: indentities.

 

With Brainwave GRC, its Identity Analytics solution includes advanced in-depth analytics, machine-learning and workflows to reduce access-related risks and ensure continuous compliance for all organizations. 

 

Controls automation: auditors and internal control’s key to success?

Controls automation: auditors and internal control’s key to success?

Why and how should a company automate controls?

The reasons to automate controls processes will logically depend on the company’s context and security challenges. Fighting against fraud is one of the main reasons for organizations to implement controls automation today. But it isn’t the only one. Here are a few of them:

  • Focusing on fraud risks

The goal here is to reduce fraud risks, often over large data volumes. The stakes are to gain full visibility over fraud risks, segregation of duties policy implementation but also to ensure that controls are properly operated and cover all the critical applications and business processes for which fraud risks are very high.

  • Targeting sensitive business processes

For some companies, the prime focus needs to be set on preventing risks at a business process level for their most sensitive ones, such as the Purchase-to-Pay business process. Security risks, such as fraud risks, are often significant at the business process level – within and between applications and systems – but companies often focus only on risks linked to IT infrastructures and fraud risks within applications only.

  • Improving data analysis

The goal here is to implement efficiently and broadly a proper data governance through automated controls. Controls over applications are a priority in this context and need to comply to security requirements such as proper privileged accounts management and efficient access rights governance.

What are the benefits?

Controls automation can provide many benefits, here are the main ones:

  • Optimizing controls processes, strongly needed by companies as they face rising regulatory requirements and pressure from control and compliance authorities.
  • Reducing security risks within applications and at a business process level
  • Reinforcing internal audit and control’s position within the company

Automating controls enables internal audit and control teams to save significant time, money and energy not using Excel spreadsheets with over fifty tabs to operate manually their controls. With controls automation, they can focus  on the most critical security and compliance stakes and risks that trully need their time and attention.

 

Are they limits to controls automation and how can you move past them?

Automating controls at the scale of an application, system or a wholke business process requires paying special attention to a number of topics in order for a company to prevent limitations and evaluate if its is ready to implement the automation of all or part of its controls processes.

Here are a few of the topics you should pay attention to:

  • Your applications’ maturity

Automating controls properly depends on your applications having the same “maturity” level.

  • Risks moving upstream or downstream

By automating controls, there is a risk that security issues be displaced. An example of risks moving “downstream” is an inefficient analysis and correction of discrepancies.

  • Automated controls staying relevant and answering internal audit’s needs over time
  • Segregation of duties

One of the keys to controls automation is implementing a proper segregation of duties at a business process level, within and between applications and processes in the IT systems.

 

Any questions? Don’t hesitate and contact us!

Cyber risks and Brainwave GRC benefits for Imran Ahmad, National leader cyber security at Miller Thomson

Cyber risks and Brainwave GRC benefits for Imran Ahmad, National leader cyber security at Miller Thomson

Brainwave GRC video interview of Imran AHMAD – Miller Thomson partner

CyberThreats

 

 

Businesses are struggling to identify what they should be looking at or not. We are seeing an increase in term of cyberthreats and cyberattacks and it’s not a question of ”if it will happen”, it will happen to you.

At that point: Are you ready to respond in an effective way and what can you do to mitigate the risks?

To monitor the risks in real-time and to identify a conduct or a behavior which is outside of the norm is like to find a needle in a haystack…

 


Imran Ahmad is a Business Law Partner in the Miller Thomson Toronto office and specializes in the areas of cybersecurity, competition and foreign investment law.

As part of his cybersecurity, privacy and data breach practice, Imran works closely with clients to develop and implement practical and informed strategies related to cyber threats and data breaches. He focuses on legal risk assessments, compliance, due diligence and risk allocation advice, security and data breach incident preparedness and response.  He also provides representation in the event of an investigation, enforcement action, or litigation.

Brainwave GRC’s added-value according to Deloitte

Brainwave GRC’s added-value according to Deloitte

Brainwave Identity GRC’s benefits for Deloitte and clients

Interview of a Senior Manager Risk Advisory at Deloitte France – Alexandra Jasinsky

 

3 benefits Deloitte France sees in using Brainwave GRC:
 
– Cross-application and cross-system analysis for the entire enterprise, including any in-market or legacy ERP and custom in-house application
– Easily configured dashboards and KPIs with most important metrics
– Deep behavior analysis to understand financial impact of transactions and conflicts