Off limit: controlling employee information access

In today’s corporate environment, protecting invisible assets such as information is just as important as protecting physical assets. Companies should safeguard sensitive information by investing in a good identity access management system (IAM) that controls employees’ data access rights, whether they are working in the office or remotely. For businesses today, looking after their data means looking after their reputation.

To limit the chances of sensitive information falling into the wrong hands, most companies have IAM systems assigned to their IT networks. IAMs are security systems that give employees access via their computers to job-related resources and applications. Restrictions are also in place to prevent workers from accessing information that has no relevance to their specific roles.

We are moving to a "dual-use environment" in which people use devices, laptops or mobile phones for both corporate and personal use.

We’ve worked with a number of companies that have paid the price for not establishing clear data boundaries.

For example, one human resources (HR) employee created a fictitious worker on his company’s database. He then added his own bank account details to the non-existent staff member’s profile to claim a second monthly salary. The fraudster was authorized to access many company databases, enabling him to carry out the deception.

Some businesses have no choice but to establish IAM systems to satisfy a regulatory requirement. One example is ING Direct Australia, which, in 2011, implemented an IAM system to limit the number of employees with unverified access to core banking networks and applications.*

Some two months after setting out to improve its IAM system, the financial institute was able to control access rights to business policies, manage risk and remove the possibility of a rogue employee gaining access to financial records.

ING’s success illustrates the importance of investing in high-quality IAM software. Not only does it enable companies to comply with regulatory guidelines regarding access rights, it also gives them peace of mind about the security of their data. In an age when information is a company’s most valuable asset, maintaining control over it is more important than ever.


The complete article was written by:

  • Sven Sando
    Senior Manager, Advisory Services, Ernst & Young, Germany
  • Patrick Fink
    Consultant, Advisory Services, Ernst & Young, Germany

Read the full articlepdf817.08 kB

EY refers to one or more of the member firms of Ernst & Young Global Limited (EYG), a UK private company limited by guarantee. EYG is the principal governance entity of the global EY organization and does not provide any service to clients. Services are provided by EYG member firms. Each of EYG and its member firms is a separate legal entity and has no liability for another such entity's acts or omissions. Certain content on this site may have been prepared by one or more EYG member firms