If you have ever lost your keys, it is a real pain. Most people think it is prudent to change the locks, rather than take the risk that someone might have found them and take advantage of you. Most likely the keys are in the cushions of a couch or found by some harmless, trusting soul. However, why take a chance. Change the locks and sleep better.
Organizations have been losing track of keys (login credentials or login accounts) to their most important computer systems for decades and as I showed in my last post, for larger organizations, this is amounting to about 100K keys where they cannot answer the simple question: who controls this key? Mostly these misplaced keys are in safe hands but, in many cases, they are controlled by an ex-employee, consultant, partner, or current employee who has moved into another area and should no longer have that access. Some may use them against you.
Of course each one of these un-accounted-for keys is a potential negative compliance finding but, also, they represent a ticking time bomb for a business reputation disaster – or worse. For example:
- The much publicized WestJet-Air Canada fiasco was enabled by an ex-employee login credential being misused.
- If you read between the lines on this Honeywell situation, I think we hear them saying that an ex-employee got in there by using a credential they gave him but, did not control properly. So much for the honor system. We are supposed to feel better because the system was not “hacked” – small comfort for those affected. Don’t worry Honey, they didn’t break into the house, they just used the key I lost last week.
- More recently we got an example of a huge public relations business reputation disaster with the TJX security breach. While we have no details of how the data was compromised, this is certainly the scope of event that might happen if one of the 100K lost credentials at any number of large corporations gets used for such nefarious purposes.
These risks can readily be mitigated by matching and dealing with all those old lost keys (login credentials) that have been ignored for decades. We can take care of it in a few months time with a very modest project. Think of it as changing the locks.
Until then, this should be keeping you up at night.
