By Craig Davies, Chief Information Security Officer, Ghathid.

When pharmacologists talk about “toxic combinations”, they mean two separate drugs that, when combined, can adversely affect the patient’s health. In the world of cybersecurity, it refers to the combination of multiple roles held by a single individual that poses a significant risk to the organization.

In other words, someone within the business has been granted certain privileges that should never be joined because it could undermine the integrity of a core process. These combinations can lead to conflicts of interest, lack of oversight, and opportunities for fraud or abuse.

Additionally, toxic role combinations (TRCs) create vulnerabilities that cybercriminals can exploit or result in malicious internal activities. This is why the principle of segregation of duties is so important: It divides roles so that two or more separate entities must coordinate their actions to achieve a given task.

Examples of toxic role combinations

• Finance and procurement: If an individual has control over the purchase and financial approval, he is able to authorize fraudulent transactions without any third-party oversight.

• Systems administrator and security officer: A person who manages IT systems and also oversees security can change logs or security settings without being detected.

• Management of payroll and human resources: Someone handling payroll and employee data can create ghost employees and divert wages to their accounts.

• Sales and credit approval: A sales manager who also handles credit approvals may approve risky deals to boost sales numbers, potentially leading to financial losses.

• Ensuring identity and granting access: If a person has the ability to create a user identity and grant privileges to an identity, then they can give themselves or someone else full administrative privileges on the IT system.

The Risks

Toxic role combinations create vulnerabilities that cybercriminals can exploit, exposing the organization to potential financial risks, legal liability, operational disruption and reputational damage.

Financial risks

TRCs can lead to financial fraud, where individuals use their overlapping responsibilities to misappropriate funds or authorize unapproved expenditures. It also opens up the risk of human error, as errors can easily go unnoticed without proper checks and balances – causing inconsistencies and significant financial losses.

Legal Liability

TRCs can result in non-compliance with regulations and standards—leading to fines, legal penalties, and increased scrutiny from regulatory bodies. They can also cause breaches of fiduciary duties, with the organization facing legal action for failing to protect the assets and interests of stakeholders.

Operational interruption

Combining roles can create inefficiencies, as one person may struggle to meet all of their responsibilities effectively, causing operational delays and bottlenecks. TRCs in IT roles can open up system vulnerabilities due to misconfigurations and security oversights—increasing the risk of cyberattacks and system failures.

Damage to reputation

When TRCs result in high-profile fraud or security breaches, the organization’s reputation can suffer, leading to a loss of customer trust and market share. Investors and stakeholders may also lose confidence in the organization’s governance and risk management practices, affecting share prices and investment potential.

Prevention and Management of Toxic Role Combinations

To ensure the security of critical systems and data, organizations must implement robust governance and internal control measures that prevent TRCs:

• Separation of duties: Clearly define and separate user identities, roles, and access privileges to ensure that no individual has conflicting responsibilities.

• Role Mining: Analyze user-resource relationships across systems to identify common access patterns and determine appropriate roles and permissions.

• Role-based access control (RBAC): Implement strict access controls and monitoring to ensure employees have only the necessary permissions for their specific roles.

• Principle of least privilege: Define individual user access on a “least privilege” basis so that each person has the minimum access necessary to do their job.

• Regular audits: Conduct frequent internal and external audits of user roles to identify and address TRCs as early as possible.

• Graphics technology: Consider adopting graph technology—a powerful tool for visualizing the complex web of relationships between identities, access permissions, and systems.

• Threat detection: Continuously monitor user access activity to flag any suspicious or atypical behavior.

• Training and Awareness: Educate employees about the risks of TRCs and promote a culture of transparency and accountability.

By following these tips, you can eliminate TRCs in your company and help secure your data, finances, and brand reputation.

The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology leaders. Do I qualify?