When onboarding new hires at community banks and credit unions, there are several ways financial institutions can provide employee access to banking systems. From our talks with banking professionals, we’ve learned a lot about the most commonly used provisioning processes and how they leave the door open for costly cybersecurity breaches.
There are many methods for determining who should get access to which systems. And because banks have so many systems to account for, often hundreds, a lack of a centralized, streamlined provisioning process can lead to errors. Here’s a look at some of the ways many banks are currently maintaining their record-keeping for granting account access and how switching to an identity management solution can mitigate opportunities for risk.
Mirroring, Copy & Paste, and Templating
Each of these methods varies slightly but is based on the premise of assigning an employee system access based on their role within the financial institution. For example, Employee B may be a new hire whose projected job responsibilities might look an awful lot like those of Employee A; therefore, Employee B is assigned the same permissions as Employee A. While using a template is usually a close match for setting system access, there are still instances where Employee A may have access to a system that Employee B doesn’t need. In this case, Employee B would have been over granted access, which would flag on an audit and has the potential to create cybersecurity and/or compliance issues.
Case by Case
Granting permissions on a case-by-case basis relies upon institutional knowledge based on experience. For example, someone who’s worked at the bank for years may just “know” what permissions a new employee would need, but there is a significant risk for human error when assigning permissions from memory.
Each of these methods is time-consuming, inefficient, and risky. In our experience, these outdated means of granting and recording system access, typically via individual spreadsheets, share drives, etc., represent an estimated 20-40% chance of errors, which leaves the door wide open to security breaches or compliance issues down the road.
There are also many obstacles to the abovementioned processes, with one central theme—a lack of a formal process. Problematic drawbacks include:
- Access points that have not been removed
- Duplication of efforts between human resources, IT, and the Help Desk
- Over granting of system access
- Potential for negative audit findings
- Difficulty managing contractors/external permissions
- No single source-of-record for audit history
- High potential for human error
But perhaps the most concerning issue with manually granting permissions is the serious cybersecurity and compliance threats surrounding not properly deprovisioning accounts. When an employee leaves a bank, many IT departments will simply turn off firewall access. This cuts off the former employee’s access to the network but doesn’t prevent internal breaches from happening. Employees may have shared logins in the past, so turning off firewall access doesn’t stop current employees from using a former employee’s account to access various systems. These are called ghost accounts or missed deprovisioning, and they contribute to nearly 40% of security breaches from internal sources. It is essential to deactivate a former employee’s account access altogether, and the most effective way to do this is by utilizing the automation that comes with role-based access.
Additionally, no central data source makes it hard to prove to auditors when access was assigned and/or revoked. Auditors typically aren’t satisfied with simply turning off firewall access. They are going to take a deeper dive, and this can become quite costly.
Switching to RBAC
Identity access management enables a better way to manage account privileges, with access justification based on policies through role-based access control (RBAC). RBAC formalizes and consolidates the provisioning process by using a method of assigning permissions to users based on their role within an organization. Furthermore, it provides a well-defined, systematic set of rules for a more consistent and easily auditable approach to setting up internal access across an organization. Another benefit of RBAC is that it enforces the policy of least privilege, which ensures that system access is limited to only what an individual needs to perform their job, nothing more or less.
5 Benefits of RBAC
More controls in place, consistent results reduce the risk of human error. Allows for tracking user access 24/7 supported by real-time, audit-ready documentation.
Decreases the amount of manual task work resulting in increased employee productivity. Saves hundreds of hours per year by reducing duplication of efforts.
Simplifies account provisioning and deprovisioning and regulatory compliance
Centralization of Access Policies
Removes room for error, stores data at one central point of reference, not on a spreadsheet, share drive, or other unreliable means of record keeping
A repeatable and reliable process that’s always working
Interested in learning more? Check out our on-demand webinar, 5 Benefits of Role-Based Access Provisioning, to hear directly from our team.