Maksim Kabakou - Fotolia
The recent increase in large-scale company data breaches, such as VTech (5 million records exposed), Ashley Madison (37 million records exposed) and Experian/T-Mobile (15 million exposed), means data security is now a hot topic for all businesses across the globe. Although many of these breaches were a direct result of malevolent hackers finding technical weaknesses in company IT infrastructures, risks to data security have become apparent because company IT departments are simply failing to provide adequate access controls to employees using its internal and cloud-based systems.
Smaller-scale data loss, however, is often as a result of authorised employees simply exploiting their privileged access rights. This is where user access control can be an extremely challenging area for many businesses, particularly larger organisations and multi-site corporates and especially in light of the increasing bring your own device (BYOD) trend. Many companies either err on the side of caution and apply too many restrictions or steer the other way, towards a complete lack of any meaningful user access control.
Allowing users too much access across systems is an extremely risky business, which is too easily overlooked. Putting a few simple measures in place can drastically reduce this risk, including the principle of least privilege (access) and read-only where possible, which should be applied to deny malware being installed. This will restrict possible access points for any malware or malevolent users as much as possible. Segregating access points by profile (roles, duties and functions) will also help limit what users can access without affecting their ability to work effectively. User access policies should also be mapped out so any shortfalls or oversights are identified, reviewed and re-evaluated regularly to ensure profiles are configured on a need-to-know basis.
The pitfalls of sharing accounts
The most common mistake that companies allow is the sharing of user account details among colleagues. Not only does this offer users the ability to access areas of the company systems they would not otherwise have, but it also removes the ability to track and audit user activity to a specific person should there be any errant behaviour. Companies should either enforce a strict no-sharing policy for all employees or apply some physical restrictions, such as two-factor authentication (2FA) or lock-down to machine or IP address level.
Similarly, many organisations do not implement sufficient auditing of employee behaviour in company systems. It should be made compulsory that businesses audit all employee access, making sure they remind employees they are being monitored. Employees are more likely to probe and test their access restrictions if they know they can get away with it!
Read more about how to fix common access control mistakes
- Security Think Tank: Human factor key to access control
- Security Think Tank: Password management tops list of access control issues
- Security Think Tank: Policies and procedures vital for successful access control
- Security Think Tank: Top five access control mistakes
- Security Think Tank: Access control is key to protecting against cyber attacks
- Security Think Tank: How to keep on top of access control
Deleting ex-employee’s user accounts is another area where many companies are exposed to the potential for data loss, as employees often have access to multiple internal systems, directories and cloud-based services during the course of their employment. Companies which operate in highly regulated industries should not only employ a system of automated user provisioning across all internal and external systems, but also an automated user de-provisioning process, so all their accounts can be terminated immediately on the employee serving notice.
Balancing risk and productivity
Whatever measures or policies are put in place, the secret ingredient of user access control is to find the perfect balance between risk and productivity. User accounts and control access should be effectively managed alongside proactive monitoring for inappropriate user behaviour. Policies put in place in any modern business should protect sensitive company, and customer data, while fulfilling any regulations or governance the business must abide by, and not limiting employees in a way that would affect them performing their duties in a productive manner.
When striving for this ideal balance, companies must remember that technology can only partially solve the problem, by stopping malevolent actions or plugging security holes. Ultimately, any system to manage user access must address the human factor, underpinned by stringent employee contractual obligations. A strict code of conduct should prohibit employees from performing any actions that may put company and customer data at risk.
Paul Yung is vice-president of products at PC optimisation firm Piriform