Good software implements good process.
I love mistaken identity films. I watched Alfred Hitchcock’s North by Northwest a couple of months ago. In that story, Cold War enemy thugs are out looking for a secret government agent. Due to a simple mix up in a hotel lobby, Roger Thornhill (played by Cary Grant) is mistaken for the agent. Thornhill is in the wrong place at the wrong time. Despite his strong protests, the thugs persist with their mistake and kidnap him.
The story reveals that the agent is a fictitious identity created by a secretive federal government organisation. The thugs didn’t know what the agent actually looked like, no one had ever met him before. The feds observed the growing calamity and decided that it might be advantageous to their cause to maintain the ruse, so they keep their distance, and leave Thornhill to try and survive on his wits alone.
This story (and many others in the mistaken identity genre) highlights the capacity for human nature to make mistakes. We put our trust in the wrong things, and to convince ourselves that we have made the correct choice. We even proceed when the evidence is shaky and there are other facts we should consider.
Good software, good processes
Of course, the people that we deal with are not protesting their innocence. They are bona fide and hardworking employees. However this story does highlight the issue of trust: what processes do we put our trust in and are those processes trustworthy?
Even in the world’s largest organisations with thousands of new employees onboarding every day, there will inevitably be a personal interaction. For a person onboarding, there will be identification, artifacts, processes, and systems that we will have to place our trust in. But are they trustworthy? If I have never met this person before, how do I know that their identity is correct? Surely the evidence before me is enough to proceed?
Your HR system, coupled with your Identity Management system are the first line of defence in securing your organisation’s data. Good software is crucial for good process, for example data entry lockouts can prevent a malicious person from being on-boarded.
“Ah darn, I left my passport at home and my driver’s license is in my other wallet. Could we just pretend that you have seen them? My boss really needs me to start work today.”
“Sorry – the system won’t let me click OK without a valid number.“
Electronic Identity Verification
Is the mere existence of documentation enough to get a person access, or is there an impartial person who can examine the document and to provide signoff via a workflow? If you rely on passport or license numbers, are there validity checks on the numbers? An electronic Know-Your-Customer (eKYC) service such as Jumio can be utilised before the system will accept the data.
Common Identity Issues
Some other issues to consider:
- Is your onboarding process robust enough to ensure that identification steps are not skipped or glossed over? Our products and solutions can provide workflows to control the onboarding process that won’t slow your business down.
- Do you use a third-party vetting service? Assertiv Consulting partners with world leading identity verification solutions that protect against identity theft or impersonation.
Likewise, is your off boarding and de-provisioning process effective? Do you even have one? Are there any manual processes that could be forgotten (or fudged)? I once had several disused swipe cards in my drawer at work. One was for a card reader network that had been replaced. Others were for buildings I used to work in.
Was there a system to track the issuance and return of such things? Could I have used them to cause harm? A valid swipe card does not set off an intruder alarm. Without an effective off-boarding process that links to these oft-forgotten systems, organisations could be leaving their premises open to illicit activities. Assertiv Consulting can reveal these gaps and provide solutions and mitigation through an Identity and Access Health Check.
A case of false or mistaken identity could be ‘covered up’ by someone for illicit activities. Alfred Hitchcock’s government organisation had the opportunity to rescue Roger Thornhill but chose not to. Assertiv Consulting can assist in the development of regular review processes and escalations that can mitigate this situation.
What about your Roger Thornhills?
Unfortunately Hollywood has provided criminal elements with lots of ideas on how to fool their way into positions of trust. What is needed is a sober analysis of your organisation’s on and off boarding processes, identity and access governance and day-to-day HR processes to ensure that no gaps are available for exploitation. Assertiv Consulting can help you to ensure there are no Roger Thornhills amongst your users.
Gary Morris is a Principal Identity Consultant at Assertiv Consulting with 12 years’ experience in delivering Identity and Access Management systems. He is also an avid Alfred Hitchcock fan.