How An Identity and Access Management Program Saved a Retailer $100k+ In Fraud Annually
Many organizations initially struggle with the business buy-in for an Identity and Access Management (IAM) program. The consequences of this lack of business ownership or participation are that IAM becomes another dreaded IT project with ill-conceived requirements. As such, the IAM budget can readily be cut for more important and well-understood business objectives with clear sponsors. This and similar factors led Gartner to estimate that 63% of all IAM products will be thrown out in the next two years as the ‘requirements have changed’ since the date of original purchase.
The challenge for new and existing IAM programs is to establish and maintain a strong justification for the program’s continued existence. One retail client recognized this potential risk to their IAM program and took a novel approach to clearly illustrating the benefits of an IAM program. The conventional wisdom is to convince the CIO or CISO of the necessity of an IAM program; however, their strongest and most vocal ally was the head of retail loss prevention at their company.
Retail loss prevention is defined as “a set of practices employed by retail companies to preserve profit. Profit preservation is any business activity specifically designed to reduce preventable losses. A preventable loss is any business cost caused by deliberate or inadvertent human actions, colloquially known as "shrinkage." Deliberate human actions that cause loss to a retail company can be theft, fraud, vandalism, waste, abuse, or misconduct. Inadvertent human actions attributable to loss are poorly executed business processes, where employees fail to follow existing policies or procedures - or cases in which business policies and procedures are lacking.”
On the surface, this appears to have nothing to do with Identity and Access Management.
This retail client had a generous associate discount program where associates could buy anything in one of their stores for up to 40% off, including the sales price. This discount was not limited to a “company store” at a corporate campus; rather, they could go to any store in any city, present their badge, and get a substantial discount. It was typical for associates to go on a shopping spree across town when they were terminated or left voluntarily. The store retail systems used shared accounts and the employee badges were not centrally managed or connected to a provisioning system. Badges were deactivated within a day of termination, and there was no specific process for terminated associates to be required to hand in their badge as part of the termination process. This lack of process allowed for fraud, where the terminated employees could buy items at 40% off, and then sell those items on eBay for 20% off, netting a profit.
Regrettably, this was not small-scale fraud. Retailers often have seasonal workforce peaks – a mass of new employees in November, followed by a reduction of seasonal employees in January and February. Tens or hundreds of thousands of dollars of merchandise was being discounted to former associates on an annual basis.
The solution was to develop two new business processes and then to implement those processes as part of an IAM program.
First, there was a new business process to collect employee badges before an associate was terminated. The specifics of this process are unique, and it was deployed in such a way not to create suspicion when the employee was called to a meeting at the back of the store. This process did not require software, although it did require training both the retail associates and managers.
The more comprehensive process was to tie the employee’s identity to their badge and then to manage those badges as part of an IAM program. The implementation concept was to leverage a central repository of user identities including associates. Each associate’s badge and associated privileges were activated or de-activated from this central user repository. Stores could quickly determine if a badge was active by scanning the badge before a purchase was authorized, and retail managers were trained on how to gracefully handle the situation where a terminated associate presented a deactivated badge at a retail counter.
After the IAM program was up and running, the head of retail fraud prevention estimated that the total implementation cost (both vendor solution and consulting) were justified within a single year.
When looking to reinvigorate an existing program or start a new IAM program, look carefully for those poorly-executed or misunderstood business processes that enable bad actors to gain access to inappropriate resources or special privileges. It is quite likely that these process exploits are already subject to abuse, whether in the form of a long-standing security breach or financial loss. The most successful IAM programs address these needs first, thereby reducing risk to the organization and showing rapid value.