Maksim Kabakou - Fotolia

Security Think Tank: Human factor key to access control

In the modern business environment, what are the most common access control mistakes and how best are these corrected?

The modern business environment is no longer a static self-contained area, all nicely enclosed in a physical, logically discrete and easily controlled space. We have an increasingly diverse, mobile workforce and have been adopting equally flexible IT systems to accommodate the resulting needs of all this change. 

Whether it is mobile devices, online or cloud services, or remote access to back-end service, they all pose increasing challenges when it comes to access control.

In times gone by, we had to manage using multiple sign-ins to multiple platforms to handle an increasing number of discrete systems. This then became handled through a single domain and log-in. Once authentication was complete, the user could access whichever systems or applications they were authorised for.

But things have changed and our mobile and flexible workforce, systems and platforms may no longer be owned by us, as we use a greatly increased array over a wider and more connected workforce.

This presents us with a fresh set of challenges. Identifying what some of the key mistakes that can and have been made will help us understand how best to increase our own resilience and security.

Wherever your information is stored and wherever there is a need to access that information, it is vital that the information asset owner (IAO) is involved in setting up the access control policy.

So that the asset is properly understood, assessed and access is on a need-to-know basis. If access is required to any online data storage from mobile devices, it is vital that we understand whether the access to the device is able to provide an appropriate level of security.

For instance, many mobile devices only require a 4 digit PIN, whereas a corporate access policy may require a more complex access code. Should that device then be given access to that online data storage?

User education

Furthermore, staff using mobile devices to access personal, non-corporate online storage could be dropping sensitive information assets into a shared, non-secured environment.

It is key that organisations retain control of their online IT environment. Data leakage or breaches can occur when an organisation loses control of where information assets reside and how they are accessed. They will, however, remain responsible for it. This needs to be addressed as an information management issue and not as an IT issue.

People and their behaviour represent a major risk to information security and access is no different. Users will try to find a way around something they see as inconvenient, without realising the risk they are adding. Educating them in risk is very important. 

In summary, organisations must never lose sight of the human factor. The most successful and secure access control systems are those that sit inside a robust change and configuration management regime, that are regularly penetration tested and are supported by vigorous and ongoing user education programmes.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on Privacy and data protection