Brainwave GRC & Infonex event: Cyber Risk for Financial Institutions

Brainwave GRC & Infonex event: Cyber Risk for Financial Institutions

Brainwave GRC presentation at the Cyber Risk for Financial Institutions – Infonex event

Toronto, Canada – May 16 & 17


Eric In, VP of Brainwave GRC for North-America, will be a speaker at this two-day seminar in Toronto, Canada on Cyber Risk for Financial Instituions. His presentation – Reducing Cyber Risk by using Identity Analytics – will take place on May 17 from 09:15 am to 10:15 am.

It will examine the challenges and provide solutions regarding risks related to individuals for organizations.

  • Cyber security is also about the individual : how can we reduce risks related to individuals?
  • How Identity Analytics can help to better monitor risks and make informed decisions?
  • Exploring practical examples of how identity analytics can help financial institutions to comply with the new SWIFT Customer Security Controls Framework


Make sure you can attend! 

5 reasons why access-related security is key to hybrid ERP transformation

5 reasons why access-related security is key to hybrid ERP transformation

Hybrid ERP: the postmodern transformation for ERPs

Postmodern ERPs are the new form of ERP systems, no longer coming only from single-instance megasuites such as SAP or Oracle. ERPs are now hybrid – mega-suite on-premise but also partly in the cloud – or even fully outsourced.

Analysts have been paying attention for several years now to this rising phenomenon but this is it. Hybrid ERPs are not a hype but becoming the norm, year after year. Indeed, according to a Gartner study, within 3 years less than 1 out of 5 multinational companies will still be having a single-instance megasuite ERP system.

ERP transformation projects are launched for various business needs, from adopting a new marketing or HR cloud-based management solution, a new Saas CRM such as Salesforce or conducting a major ERP renovation after years with costly megasuites.


Paying attention to security risks to ensure success and business goals

The enthusiasm coming with such projects and the business stakes shouldn’t make you forget the security risks will probably rise with your company’s transformation projects. With ERPs going to the cloud and, in most cases, spread between on-premise applications and cloud-based ones, new risks appear and more actors are involved.

Here are 5 reasons why you need to put access-related security at the top of your priorities for your hybrid ERP:

  1. Greater lack of visibility over applications and business processes
  2. Higher risk of frauds and human errors with more actors involved, including numerous third parties
  3. Greater risk of data quality and management issues with mutliple data sources and formats
  4. Less control over HR movements, access rights management and the activity of users regarding these access rights
  5. Harder to ensure audits and controls over access rights and user activity at a satisfying frequency (larger and more diversified perimeter)


The solution? A proper access-rights security policy, collaboration and Identity Analytics & Intelligence

With hybrid ERPs now becoming the dominant ERP model, the security stakes are high and need to be taken in charge properly. Defining a relevant and realistic security policy is only one of the steps that will ensure success for your transformation projects. The other steps? Enabling and encouraging collaboration between IT and business units in order to reduce the risks related to data collection, transmission and processing but also to conduct efficient and easy access certifications as well as regular controls.

What are often under-estimated risks ? Access-related risks in Active Directory, SoD or even your CRM. With the proper tool you need to ensure a 360° visibility over access rights and how people use them in your company, including contractors and interns. The risks can go from a high number of dormant accounts and ex-employees with access-rights still active in some applications to SoD risks with users able to operate incompatible actions over the Purchase-to-Pay business process.

The need for a cross-applications and business process view for risk analysis and remediation but also controls and access reviews is stronger than ever with a hybrid ERP. Are you ready?


Controls automation: auditors and internal control’s key to success?

Controls automation: auditors and internal control’s key to success?

Why and how should a company automate controls?

The reasons to automate controls processes will logically depend on the company’s context and security challenges. Fighting against fraud is one of the main reasons for organizations to implement controls automation today. But it isn’t the only one. Here are a few of them:

  • Focusing on fraud risks

The goal here is to reduce fraud risks, often over large data volumes. The stakes are to gain full visibility over fraud risks, segregation of duties policy implementation but also to ensure that controls are properly operated and cover all the critical applications and business processes for which fraud risks are very high.

  • Targeting sensitive business processes

For some companies, the prime focus needs to be set on preventing risks at a business process level for their most sensitive ones, such as the Purchase-to-Pay business process. Security risks, such as fraud risks, are often significant at the business process level – within and between applications and systems – but companies often focus only on risks linked to IT infrastructures and fraud risks within applications only.

  • Improving data analysis

The goal here is to implement efficiently and broadly a proper data governance through automated controls. Controls over applications are a priority in this context and need to comply to security requirements such as proper privileged accounts management and efficient access rights governance.

What are the benefits?

Controls automation can provide many benefits, here are the main ones:

  • Optimizing controls processes, strongly needed by companies as they face rising regulatory requirements and pressure from control and compliance authorities.
  • Reducing security risks within applications and at a business process level
  • Reinforcing internal audit and control’s position within the company

Automating controls enables internal audit and control teams to save significant time, money and energy not using Excel spreadsheets with over fifty tabs to operate manually their controls. With controls automation, they can focus  on the most critical security and compliance stakes and risks that trully need their time and attention.


Are they limits to controls automation and how can you move past them?

Automating controls at the scale of an application, system or a wholke business process requires paying special attention to a number of topics in order for a company to prevent limitations and evaluate if its is ready to implement the automation of all or part of its controls processes.

Here are a few of the topics you should pay attention to:

  • Your applications’ maturity

Automating controls properly depends on your applications having the same “maturity” level.

  • Risks moving upstream or downstream

By automating controls, there is a risk that security issues be displaced. An example of risks moving “downstream” is an inefficient analysis and correction of discrepancies.

  • Automated controls staying relevant and answering internal audit’s needs over time
  • Segregation of duties

One of the keys to controls automation is implementing a proper segregation of duties at a business process level, within and between applications and processes in the IT systems.


Any questions? Don’t hesitate and contact us!

Leavers’ threat – a simple and powerful IT security threat for any company

Leavers’ threat – a simple and powerful IT security threat for any company

Employees leaving by the door can come back through the window

A sysadmin in New York has just been sentenced to two years in prison for hacking his old company.

This sysadmin had been let go by his company in 2010, taking with him all of his credentials. Or maybe he remembered them, no one can prevent that. So after a few days, he logged back on his servers and installed backdoors to ensure easy access later on. Then, he downloaded data that he had worked on when he was still part of the company.

After all that, he ran scripts that were supposed to erase the logs for his actions. The scripts malfunctioned, and the ISP became unreachable for a week. More than 500 businesses and 5000 customers weren’t able to access their online services such as their website, their email etc… Lots of clients were lost, not to mention the company’s reputation took a heavy hit too.

Facing the “leaver” threat efficiently by proper access governance

It is a known fact today, most of the data leaks originate from inside the company. In this precise case, a former employee just logged in to retrieve data from the company that had just fired him. He did some damage when trying to cover his tracks, but he could have destroyed a lot more with the access he still had (deleting all the hosted sites, exposing servers to wild attackers by disabling the protective measures,…).

This story depicts one of the many threats that Brainwave GRC can reduce and monitor. An account remaining active after the employee has left the company should raise flags in the governance system, giving managers a chance to correct the anomaly quickly and easily.

Furthermore, in this story, the account belonged to a system administrator and should have been flagged as a “high privileges” account, given the authorizations it had to access the company’s critical assets.

Brainwave GRC’s added-value : using your own data to its full potential

By cross referencing HR data and applicative accounts, and reconciling these items, this negligence would have been easily highlighted.

Brainwave GRC automates your controls and generates reports on abnormal situations, such as active accounts belonging to leavers with the last login date, and the possibility to highlight contextual informations (organization, job title, manager etc). These abnormal situations can also be easily detected with the solution during access review and certification

Implementing processes for employees and contractors’ departures is conventional when an identity lifecycle management policy is in place, but checking these processes is an underestimated task, when it’s not completely ignored on the medium and long term.

Governance and continuous improvement will help you realize what is done wrong and what could be improved in your company, all this only by using your own data.

Cyber risks and Brainwave GRC benefits for Imran Ahmad, National leader cyber security at Miller Thomson

Cyber risks and Brainwave GRC benefits for Imran Ahmad, National leader cyber security at Miller Thomson

Brainwave GRC video interview of Imran AHMAD – Miller Thomson partner




Businesses are struggling to identify what they should be looking at or not. We are seeing an increase in term of cyberthreats and cyberattacks and it’s not a question of ”if it will happen”, it will happen to you.

At that point: Are you ready to respond in an effective way and what can you do to mitigate the risks?

To monitor the risks in real-time and to identify a conduct or a behavior which is outside of the norm is like to find a needle in a haystack…


Imran Ahmad is a Business Law Partner in the Miller Thomson Toronto office and specializes in the areas of cybersecurity, competition and foreign investment law.

As part of his cybersecurity, privacy and data breach practice, Imran works closely with clients to develop and implement practical and informed strategies related to cyber threats and data breaches. He focuses on legal risk assessments, compliance, due diligence and risk allocation advice, security and data breach incident preparedness and response.  He also provides representation in the event of an investigation, enforcement action, or litigation.




Identity Analytics is crucial to your DX (digital transformation) success

With ”the risk-aware user access review for access certification” identity analytics reduces the cost and burden of the user access review and bring ”trust” in your digital transformation strategy

Do you know how to balance Digital Transformation and IT Security when your organisation is facing the challenge of managing and securing the access of thousands of users to hundreds of legacy and new Digital or cloud applications?