It is frequently stated that technology deployment will not stop staff abusing access to corporate information – that security is not solely about technology, it is also about the people and the processes – the three pillars of good IT security.
Generating staff loyalty appears to be a challenge many are falling short of in these current cash-strapped times. And technology cannot prevent it.
But is this statement really true? Technology can certainly go some way towards hardening your information protection approach, and The Corporate IT Forum's security board has focused recent discussions on data loss prevention, role-based access control and user access – all dealing with aspects of access to critical, important and often confidential information.
Ensuring that only essential users have access – and then ultimately the correct access – to the systems they require to do their job is one of the most important tasks that human resources and IT need to manage within corporates today.
Read more from the Security Think Tank about halting IP theft
To set up a user with access to all corporate systems on a "just in case" basis is lazy and irresponsible security; leading to users having unqualified access to areas of the business with no recourse or comeback.
Particularly important is the management of privileged access users – those with uniquely high or broad levels of access to information and possessing the ability and knowledge to enable them to remove all evidence of their movements within systems, leaving no trace.
Among the membership, IP theft is tackled in a similar vein to that of removable media. One commented that it has “clear lockdown policies on access to removable media”, while another was restricting access to websites that allow a user to upload data. Data protection solutions are driving security spend at 77% of organisations (tISS Security & Strategies, 2011) as members strive for greater visibility on data leakage.
Strict and strong role-based access is an ideal that many Forum members are working towards (32.6% had planned this project for 2012). Having the ability to control which users can go where, what rights and, maybe more importantly, write access they have, is an important part of security logging, especially if a leak should occur. Carrying out audits to spot-check systems should keep user access in check.
Dani Briscoe is research services manager at The Corporate IT Forum.