For your eyes only
Managing employees’ access to sensitive data is becoming a pressing issue for utilities. Patrick Fink, Sven Sando and Patrick Risch report on how effective identity and access management can address the challenge.
In today’s corporate environment, protecting invisible assets such as information is just as important as protecting physical assets. Companies should invest in a good identity and access management (IAM) system that ensures employees have just enough information to perform their duties, while restricting access to any data that is unnecessary or could potentially harm the company if misused.
Employees who misuse sensitive data can:
- Cost a company money
- Threaten intellectual property
- Risk the safety of operations
- Damage its reputation
As we move to a “dual-use environment” in which people use devices, laptops or mobile phones for both corporate and personal use, this issue is more pertinent than ever.
Protecting sensitive data is particularly critical for power and utility companies (P&Us) as they manage the “unbundling” of the energy sector, increasing regulation and the avalanche of data generated by smart metering systems.
Industry transformation brings data pressures
The separation – or “unbundling” – of vertically integrated utilities into separate businesses responsible for energy generation, transmission, distribution and retail sales has brought the need for diligent IAM into sharp focus.
In most regions, regulatory guidelines mean utilities must have IAM systems in place that control how employees access the data of these unbundled businesses. The rules may differ between jurisdictions, but this is usually addressed either by:
- Implementing different systems
- Separating internal systems (if possible)
- Separating the data in the system via access and authorization methods
All of these approaches are challenging and highlight the need for companies to consider their choice of IAM carefully.
The ongoing rollout of smart metering systems also puts pressure on utilities to better control how employees view and use information. The big data generated by smart meters will give companies an almost complete picture of individual customers – including where they live, their energy usage, what appliances they use and when they are home.
It is critical that utilities ensure their IAM systems protect against misuse of this private information.
In our experience, most utilities are aware of the need to establish clear data boundaries, but many are still coming to terms with what is required of them and the implications of overlooking the security of sensitive data.
Larger, better-resourced utilities tend to be doing better than smaller companies. Also, those based in regions subject to more regulation, such as the US and Europe, usually have more-advanced IAM systems and policies than those in less heavily regulated areas, such as the Middle East and Africa.
More than an IT challenge
We see companies make some common mistakes regarding IAM. These include:
- Considering it an IT department issue
- Thinking that it can be solved by implementing a tool
- Focusing too much on security
A successful IAM strategy requires a far broader approach based on the understanding that it is an organizational challenge that requires fundamental cultural change driven from the top down. Everyone from the CEO to the mailroom clerk must be engaged and committed to the appropriate use of sensitive company data.
We work with companies in power and utilities and other sectors to put in place a step-by-step process for developing an IAM program:
- Conduct an IAM readiness check, including an information security assessment
- Engage with all stakeholders regarding the results of the IAM check and agree upon IAM goals
- Develop an IAM road map to achieve these goals
All P&Us companies must control employees’ use of data, but those that strive for IAM excellence go beyond regulatory requirements. They make real business and cultural changes that improve processes and achieve competitive advantage.
Worth the investment
Investing in a strategic and holistic IAM program will reap numerous benefits for power and utilities. It will enable them to:
- Comply with regulatory guidelines regarding access rights
- Give them peace of mind about the security of their data
- Improve the flexibility and transparency of their processes
- Guard their reputation
- Speed up processes and improve productivity
In an age when information is a company’s most valuable asset, maintaining control over it is more important than ever.
How we can help
At EY, we are a leading IAM transformation partner, supporting our clients across all aspects of IAM challenges - from creating policies and procedures through to the implementation of processes and controls, including training and change management. Our leading practices and deep sector knowledge mean we can offer fully individualized processes to improve the performance of IAM while increasing security and compliance and without harming the speed of the transformation process.
For more information
Read more about IAM in our article Off limits: controlling employee information access originally published in Performance.