Thanks so much. I'm really happy to be here today to talk to y'all about the tricky business of protecting your assets and SAP. So we're gonna go through a quick conversation around the current risk landscape. Talk a little bit about the silo effect and then move into the future of risk management and the holistic approach that we recommend here at sale point. So starting things off 11.4, 5 million us dollars. That's the global average cost of an insider threat event.
Of course, cost varies based on the type of incident, the size of the organization and the number of incidents per year, large organizations with significant headcounts on average have about 17.92 million over the year in spending to resolve their insider threat related incidents. It's it's no surprise that fraud's on the rise. It's not really showing any signs of society. And the frequency of fraud has tripled over the past four years.
According to the Poman Institute, there are 2020 cost of insider threats report study. The costs are obviously rising.
Threats are rising and, and we're really seeing, you know, a significant increase just by the nature of the, the environment that we're in today. We'll talk a little bit more about that momentarily in general, companies lose about 5% of their annual revenue to fraud, which is statistic provided to us by the association of certified pro fraud examiners. To put it in a little bit of perspective, 5% doesn't sound like much, but if you have 250 billion in revenue, that's about 12.5 million annually that you're losing through fraud.
If you're a smaller organization, 20 million in revenue, that's a million dollars in loss. That's not really insignificant. When you think about where those losses could, could potentially fund other areas of the organization. So let's take a step back and look at the root cause of these losses. Most are the result of insufficient identity governance in a lot of cases it's related to over provisioning of access and a lack of sec se excuse me, still early in the morning here, lack of separation of duties are weak AC access controls.
So moving on 94%, that's the number of survey respondents to the identity defined security Alliance, their report that's that have had security or excuse me, identity related breaches. The more surprising figures that 99% of those folks who responded said that those, those incidents were absolutely preventable with the number of workforce identities in the enterprise growing and shifting dramatically. The number of resources used across an organization and having a strong focus on managing and governing access at somewhat of a taking a backstage to other bus.
What are considered business critical events. We're, we're starting to see, see a rise in a need for a stronger security program that adds significantly more integrity to the overall impact of the organization's position as it relates to protecting against these types of events.
Obviously, when we're looking at insider threats and particularly fraud and loss of sensitive data, that's attributed to our employees, we need to consider that the malicious types of acts that are are typical in these type of events make up 86% of our insider threats.
So, you know, it's, it's a significant increase in, in the number of, of incidents and the significant increase in the number of, of folks who are, are doing this from, from an insider perspective.
And that's really related to the overall position where we're at within, within the economy and within our overall, you know, position within the global pandemic. Speaking of the global pandemic 14, that's the number of months that we've had or the number of months that we have, you know, been dealing with the global pandemic.
And it's, it's really ushering in a new way of the way we go to work the way we live. And, and obviously the way that we, we look at opportunities for risk.
So, you know, with, with all those changes, we're seeing obviously the, the recession that's associated with, with the pandemic, we're seeing record unemployment, we're seeing significant challenges overall to the way that we go to market across the world.
So it's, it's not surprising that as we see these, these types of impacts that that affect all of us, that we're opening the door for opportunity, right?
So if we think about, you know, the, the, the fraud triangle in terms of, you know, rationalization pressure and opportunity, we're, we're seeing those three components combined with all of those, you know, economic and, and social type impacts created by the pandemic. We're, we're seeing, you know, significant challenges in terms of new cyber threats, new internal threats, and, and new opportunities that are, you know, pushing folks to consider, you know, types of nefarious activities that we look to stop.
So we we're already, you know, compounding what we're, we're seeing as a risk prone situation when it comes to internal threats.
Whenever we think about, you know, some of the, the points that the certified fraud examiners association and others have, have identified, we need to take additional precaution, you know, as we continue to struggle through the response to the pandemic and take some, some pointers from lessons learned in terms of the statistics that we saw during the 2008 recession and align that to understanding that these types of events do typically coincide with an increase in fraudulent type of events.
So let's talk a little bit about the silo effect.
So obviously we, we talked through some of the statistics risk is rampant, the cost of risk, not only in terms of its impact, but the cost of working to address mitigating activities to help prevent risk is, are increasing as well. Many companies are, are unknowingly putting their business at greater risk or complicating risk management because of this siloed effect.
So if we think about our core business processes, and we think back to when we actually implemented an E R P one of the justification, one of the drivers for implementing and, and, and E R P solution was really to integrate business processes, share master data and centralize financials, right? Because prior to the world of ERPs, we had siloed business processes, you know, functional areas, didn't speak to one another. We had a lot of interfaces, manual processes and whatnot that led to some pretty significant and efficiencies.
So my question to the audience is why should we approach identity security and access controls any differently? Right. If we think about the, the value that we've gained from integrating our core business processes and enabling that sharing and master data centralizing financials and the efficiencies and opportunities for growth and cost savings that we we're able to derive from those activities by simply implementing an E R P it would make sense to take a similar approach when we think about identity security and access controls. So what does that, what does that look like?
So the concept here is really to unify sod, access control and identity governance into a centralized solution. So we think about, you know, an identity governance solution. We can leverage it to predict the impact and risk of security changes. We can introduce mitigating controls and perform remediation directly within the provisioning workflow, by integrating with an access control type solution, you know, the additional connectivity to multiple ERPs and the ability to perform cross app risk analysis.
That enables us to be able to position a presentation of a holistic view of our business processes, spanning multiple systems and exposing a 360 degree view of our organizational identity risk landscape. In my opinion, that's significant, right? Being able to have complete visibility across your identity risk landscape enables our, you know, organizations to be able to take a more proactive approach to risk by not having to jump from system to system by not having to, to enact as many manual processes to go back and detect after the fact.
So let's talk a little bit about the future of risk management and governance. So I think this is something that's, that's probably top of mind for a lot of folks at this point. So when we think about digital transformation, one of the key callouts here is really understanding that digital transformation is much of an organizational change event as it is a technology event.
You know, obviously our end goal is to improve operational efficiency and have a positive impact to business growth. However, gaining our business buy-in throughout this process is ultimately gonna dictate our overall success, right? So the question is really, how do we get here?
How do, how do we get to that point of, you know, declaring success for our digital transformation efforts? I think it's really combined into these three thoughts. We've gotta have consistency in terms of our user identity details and identities aren't necessarily just individuals, right?
If we think about, you know, particularly in the SAP space, the number of non non person IDs that are in the system that we need to care for can be significant in a lot of organizations, depending on the way that they approach the role design for those non human identities.
We're also seeing obviously the rise of, of robotic process automation and, and other non non-human type identities that we need to care for. So being able to centralize that in one location to be able to, to look at across, across the organization holistically is key. Talk a lot about data centralization of our data, unification of data and standardization of data are all key in, in any project, any transformation, whether it be, you know, an E R P transformation moving the needle in terms of your identity security and access governance position, you know, or digital transformation.
One of the key drivers to success here is data cleanliness, data accuracy, data availability. Finally, if we think about our, you know, cloud solutions, I think we talk about a lot of the negative impacts of the pandemic. I think one of the positive impacts is, has been it's it's expedited, a lot of organizations move to more, you know, transitioning more of their assets to the cloud.
Obviously there's some risk there, but in overall I think cloud solutions are going to give us significantly better scalability and agility whenever it comes to, you know, growing our organizations and particularly growth within, you know, your organizations evolving access risk governance program.
So let's talk about a few of the steps we can take today.
You know, we talk a lot about automation of, of these activities around, you know, access governance and, and identity security. And I think from an automation perspective, you know, we're really talking about being more proactive in our approach to risk prevention.
You know, we mentioned a couple of times, you know, that 360 degree continuous visibility across your multiple applications, multiple solutions in, in one central location provides you the best point of view to be able to make decisions it's all about having actionable business ready intelligence, and being able to centralize that in a single pan. It is key to being able to, you know, be more proactive in, in your, in your positioning to be able to combat fraud, you know, fraudulent events and cyber threats.
And, and finally, you know, we're really talking about using a tool set that enables us to, to look at risk before it's actually provisioned into our production landscapes. Right?
So being able to, to look at the, the potential of, of exposing a risk in production before it actually gets, there is certainly key to being proactive, to limit the opportunity for someone to take advantage of, you know, what we talked about earlier in terms of a, an environment that is right for invitation of individuals taking advantage of, of the work from home environment and, you know, the opportunity that presents itself given the times that we are facing today.
So continuing on with steps, we can take, you know, zero trust is I think the big call out for me, you know, starting my career in audit and moving more into security design and access controls, being able to treat all users as threats, in my opinion, is a, a best practice, right?
Is that goes back to trust, but verify and, and understanding, you know, what are the identities that have access to the applications and systems within my organization, understanding what devices they're using to connect to those assets and understanding where they're connecting is key in terms of taking more of a proactive approach, looking at sod across applications, right. I think enterprise-wide visibility is an important call out because risk doesn't just reside in one application.
It, it can be a combination of applications that, that expose organizations to risk, whether it be from a data perspective, whether it be from an application access perspective or a combination of the two.
Finally, if we think about, you know, machine learning and auto artificial intelligence, we're able to start moving into a future state to where we can model and automate users access in near real time. Right?
So if we think about, you know, taking ML and AI concepts and overlaying them with identity security and access governance, we're starting to be able to, to, to take steps, to make this space really interesting again, and, and introduce some concepts that, you know, enable us to take a look at at, you know, position and activity and, and job function and peer group analysis, and, you know, mold that into a view that enables us to see whether or not access is occurring within an application that appears to be out of band based on, you know, similar other employees in similar locations for a particular user.
So I think moving into this, this concept of smart identity is certainly one of the next steps that we're looking at at, at sale point. And that we'll be pursuing moving forward to be able to provide an additional axes of risk and additional axes of response that significantly improves organizations ability to be more agile in their approach to addressing risk across their organization.
So with that, like to thank everyone, once again, thank co KuppingerCole for providing the opportunity to speak today.
You know, again, really excited to have, you know, the, the time with you all today. Happy to answer any questions here during the final couple of minutes, as well as, you know, if, if you wanna reach out to me directly, don't have an opportunity to ask the question here. Live certainly happy to connect with you offline. You see my contact information here on the last slide. So thanks again, everyone looking forward to answering a few questions for, for.
