The shocking revelation that Jacksonville Jaguars employee Amit Patel is alleged to have stolen $22 million from the team over the course of 4 years sent reverberations through the sports world. This staggering breach put a spotlight on the critical need for strong governance and oversight practices in all areas of business and stands as a stark testament to the vulnerabilities that organizations face in the absence of stringent access and security controls. This incident, spotlighting deficiencies in identity governance administration (IGA) and segregation of duties (SOD), serves as an important reminder of the potential risks organizations face without robust security controls in place.
Identity Governance Administration (IGA):
This theft highlights the need for comprehensive and effective identity governance administration and what can happen when it is not in place. IGA plays a pivotal role in managing user identities and controlling access across an enterprise. It provides visibility into identities and access privileges, allowing organizations to implement controls to prevent unauthorized or risky access and to expose gaps in security protocols.
Patel's alleged actions, from creating fraudulent charges to manipulating financial statements, demonstrate the significance of having a robust IGA framework with appropriate checks and balances. The Jaguars' transition to a virtual credit card system, while on the surface a secure measure, exposed vulnerabilities due to the reliance on a single individual, Patel, who became the go-to expert. The added element of the departure of a critical employee from the accounting department further weakened the system, emphasizing the need for continuous monitoring and controls.
Segregation of Duties (SOD):
Any strong IGA program must also include a thoughtful plan for segregation of duties. SOD is a fundamental element of an effective control system, designed to prevent any single individual from having unchecked control over crucial tasks or transactions. Patel's ability to exploit the Jaguars' finance department's vulnerabilities, partly due to understaffing and turnover, highlights the need for well-defined roles and responsibilities as well as checks and balances.
Amit Patel is said to have exploited the team's virtual credit card program using the money to buy two vehicles, a condominium, and a designer watch, among other things. In a tightly run business such a prolonged fraudulent activity would be challenging to execute but the Jaguars’ lapse in strong SOD protocols allowed Patel to perform multiple roles without adequate checks and balances. That coupled with transition within the organization and the absence of key staff in the finance department created an opportunity for the system to be exploited.
A Wake-Up Call
The Jacksonville Jaguars' situation is not merely a cautionary tale confined to the sports arena; it is a wake-up call for all businesses across industries and should spur organizations to take a closer look at their corporate governance and cybersecurity strategy. Inadequate security protocols in the face of modern cyber threats significantly increases risk but the right cybersecurity solutions, appropriate risk mitigation, and strategic safeguards can help protect organizations against exposure to similar risks.
So what can organizations do to better protect themselves? There are a few key focus areas that can have an outsized impact.
- Review and Strengthen Controls: Regularly review and strengthen internal controls, focusing on SOD and IGA. This includes periodic audits and stress tests to identify potential vulnerabilities.
- Perform Continuous Monitoring: Implement continuous monitoring mechanisms to detect anomalies in financial transactions. This includes regular reviews of financial statements, especially in departments where turnover or transitions have occurred.
- Invest in Training and Awareness: Employees should receive comprehensive training on the importance of cybersecurity, with a specific emphasis on recognizing potential threats and reporting suspicious activities.
- Engage a Robust Identity Governance Platform: A reputable identity governance platform partner can strengthen your security posture. Look for a platform that offers advanced user identity management, access control, and continuous monitoring capabilities.
The Jaguars' incident serves as a powerful illustration of the need for vigilance and proactive measures in the face of cybersecurity challenges. Having clearly defined segregation of duties and strong identity governance administration can go a long way in mitigating similar risks, ultimately strengthening the security posture of organizations. That coupled with a strong identity governance platform can help businesses bolster security measures, ensure adherence to compliance standards, and proactively mitigate risks associated with unauthorized access that can lead to theft and data breaches.
At Clarity, we're all about staying one step ahead when it comes to managing risk. That's why our platform is designed to sniff out any potential high-risk issues before they even have a chance to cause any trouble. Once we establish your organization's SOD conflicts, our platform instantly tags any items that could be problematic. Then, our 10 Minute UARs let you quickly review those tags and take action to remove any conflicts. Plus, you can even see those conflicts when looking at a user's entitlements. To learn more about how Clarity helps protect organization’s from risk, schedule a demo today.