Identity Management Sparks Friction Between Executives, Employees

Hackers often attack company networks using compromised login information, a challenge for cybersecurity leaders who want to protect data and systems while allowing employees the access they need.

Experts say the solution is secure yet flexible identity-management tools and practices—but figuring out what is best isn’t easy. Recommendations include regular and thorough review of individual employees’ access to sensitive data and the use of tools to quickly revoke credentials when staff members leave.

Using multifactor authentication—which can combine passwords, codes, physical devices and biometric data—is a best practice, but employees push back when logging in gets too complicated.

Securing identities gets more challenging as a company’s supply chains grow and business partners have to access corporate systems.

When that happens, it no longer works to verify users’ identities through criteria such as whether they use a company laptop, said Mike Towers, chief information security officer, or CISO, at Japanese drugmaker Takeda Pharmaceutical Co. “Access is almost never exclusively limited to people from one company,” he said.

Technology to assess identity credentials is critical, said Frank Dickson, a program vice president for cybersecurity products at International Data Corp. “The foundation of security used to be a firewall. The perimeter is now increasingly shifting to identity,” he said.

Takeda’s security team approves credentials and decides what level of authentication to give each employee, while leaders from business units determine which employees require access to certain systems, Mr. Towers said.

However, some business leaders are reluctant to decide that themselves, he said. They want Mr. Towers to determine who gets which levels of access because they say handing off that decision will speed up the entire process, he said. Sales teams, for example, often want employees to receive corporate access quickly, he said.

To try to avoid friction, he explains the business risks that come with compromised account credentials.

One mistake corporate cybersecurity professionals make is to require multifactor authentication and other tougher security measures only for critical staff or employees who work remotely, said Wendy Nather, the head of advisory CISOs at Duo Security, a unit of Cisco Systems Inc. She advises Duo about how CISOs work.

But employees with lower-level privileges are also targets of hacking, she said. “Practically speaking, everyone is at the same level of risk today,” Ms. Nather said.

Credentials can be compromised if they aren’t quickly revoked when an employee leaves a company, or updated if an employee moves to a new position that requires a different level of access to data. Credentials can be especially vulnerable during acquisitions, when employees might leave a company abruptly and new staff members require quick access to accounts, said Takeda’s Mr. Towers.

Tomás Maldonado, CISO at International Flavors & Fragrances Inc., said the company has a straightforward process for revoking credentials when an employee leaves. But when employees transfer internally, the security team must manually review their credentials and determine whether they still require access to the same systems. That process can take time, Mr. Maldonado said.

He said he has been through about 50 acquisitions at companies he worked for in the past few years, including Takeda’s purchase of Ireland-based Shire PLC in January.

To make sure critical applications are available soon after an acquisition, Mr. Towers said he typically discusses priorities with executives. Tax systems and financial reporting applications are usually required immediately, he said. “It’s impossible to grant everyone access to everything on day one,” he said.

Some companies use technology to help them understand how people use their accounts but monitoring behavior sometimes doesn’t go over well, said Steve Durbin, managing director of the Information Security Forum.

Takeda’s security team uses analytics tools to study how corporate accounts are used.

At IFF, an external vendor monitors employee activity and alerts the security team about certain kinds of behavior, such as if a new account is created with administrator-level access, Mr. Maldonado said. He wants to purchase or develop an artificial-intelligence system to track activity patterns. Budget constraints are the main consideration, he said, and the company will decide this summer whether it will proceed.