Businesses are becoming increasingly aware of the importance and value of maintaining their employee’s identities and controlling who can access confidential business information.

However, given the steady increase in identity theft and the misuse of confidential business data, some are clearly not managing their employees’ identities and access as well as they should. Such issues are affecting the ability of organisations to comply with regulations, as well as having a financial and confidence impact when sensitive information is leaked.

Donal Casey, security adviser with business consultancy Morse, says this is not an easy problem to fix.

‘Modern business environments are as intricate and complex as spiders’ webs, comprising a multitude of applications, diverse information points and varying types of users,’ he says. ‘This makes it difficult to determine and control how information is accessed and used.’

Without the correct security measures in place to determine who can access information, users may be able to retrieve any confidential information they want, with potentially disastrous consequences for the business. Providing legitimate network access, while retaining control over hackers and unscrupulous employees, has become a delicate balancing act.

The biggest challenge to corporate security today is the human factor – be it a disgruntled or careless employee or a sophisticated professional hacker.

According to research published last year by YouGov, almost a third of UK company directors take confidential corporate information with them when they change jobs.

Digital security has to involve the whole organisation, rather than individual departments or applications.

Mike Neuenschwander, research director at analyst Burton Group, says that identity-based access systems are becoming essential for enterprise infrastructure. ‘Large-scale issues ranging from identity theft and public safety to business trust and corporate accountability are symptomatic of an infrastructure pushed beyond its design parameters,’ he says.

While risk frequently drives identity and access management projects, large organisations are also struggling to meet compliance requirements.

‘As organisations tighten control over information systems to meet security and regulatory goals, managing access to applications and data is becoming the core ingredient in compliance solutions,’ says Neuenschwander.

A poor understanding of information value results in persistent business exposure to risk. Ian McGurk, head of security at consultancy Plan-Net, says that organisations are ignoring the security of sensitive information.

‘Without a robust understanding of the value of business-critical information, including anything from personnel records to client lists, organisations can have little confidence that employees will behave appropriately,’ he says.

It is the lack of awareness among staff of the need for information security that creates problems, resulting in passwords being written down in plain view, giving unauthorised individuals with access to systems.

It can also result in foolish behaviour such as leaving PCs unlocked and open to anyone while away from the desk, or leaving laptops on the back seat of cars rather than locked in the boot. Safeguarding company information depends as much on the people as on the technology.

Kiran Sandford, partner and IT legal expert at law firm Mishcon de Reya, says that from the legal point of view, one of the things that is critical in user identity is education.

‘The majority of users are honest, but there are fraudsters around,’ she says. ‘When users find themselves confronted with a number of different passwords, they get into the yellow sticker syndrome. Education is about users understanding that if they reveal their password it will cause problems to the business, and why.’

See next page for what the experts say about indentity security