Inside Threats: Your Data, Your Users
Data management and access control are critical to reducing an organization’s vulnerability.
Given some recent high-profile data breaches, many organizations have questions around their vulnerability top of mind. While some research shows the majority of data breaches are caused by employee or contractor negligence and misuse of data, that's certainly not the only source. It's essential to look at all the parts of a business to make sure you're adequately protected.
To be successful in securing and protecting the business, IT needs to develop and maintain relationships with other departments, form best practices, and implement policies consistently. This last point is important because a lack of consistency will wreck layers of security. Everyone inside and outside of IT must attach the same level of importance to protecting data and business interests. IT cannot handle it alone.
What Makes Us Vulnerable?
In truth, what makes us the most vulnerable is our own teams. A common problem is what I like to call data access sprawl. IT is often tasked to provide access to data and applications, but the problem that often comes into play is that business relationships change and IT is not always the best at managing that. So as relationships with work teams and contractors evolve, data access spreads and often goes unchecked.
Data management itself is another common problem. Experts in AI and analytics often cite that a lot of data is unimportant and that not all data is even classified as good data. Users from the top down have the propensity to save everything -- every email, file, attachment, etc. -- for as long as they can, as if that data speaks to some sort of milestone. But data has a shelf life, and that shelf life can be hard to pinpoint without collaboration and cooperation between IT and lines of business.
What Can We Do To Improve?
While there's certainly no quick fix to getting an organization's data secured and well-managed, there are steps you can take to give yourself better security posture. Below are a few insights gleaned from a recent IBM paper as well as my own experience.
Remove Unused Accounts -- This should be a no brainer, however, it remains an issue. In my work doing audits I came across an enterprise that was supposed to have about 500 users on Microsoft Office 365, but due to the mismanagement of old accounts, the company was actually paying for close to 700 accounts. Roughly 250 of these accounts were employees and contractors who were no longer employed or doing work for the company. Not only was this an unnecessary cost for the business, but there is a significant security risk in leaving those unused accounts active. If IT is to blame in this scenario, then it's for an over reliance on technology. Too often, IT relies on technology and reports for asset and data management. But reports can be wrong just like anything else. There's true value in physically looking at inventory and crosschecking your records to make sure things match up. This is important to do even in large enterprises. It will allow you to adequately reduce risk and may even allow the organization to cut costs, which is never a bad thing.
Inappropriate Access Rights -- This occurs for many reasons. While on-boarding and off-boarding processes have improved, surf board employees riding a wave of opportunity through promotions or transfers within a company need the same scrutiny. It's important to review what data and application access is appropriate for their current roles. IT can help by looking for inconsistencies in group policies and questioning access rights. Access rights sprawl just like file shares and data files. If IT doesn't stay on top of access management, then before you know it, a business can be completely overwhelmed in trying to maintain data integrity and clean up a big mess of around appropriate levels of access.
In my experience, there is another cause of vulnerability that too often goes overlooked. In any organization, the IT department works to provide service and support a business so (hopefully) it can run like a well-lubricated machine. But the business often has demands that can strain IT, frequently asking IT to simply make something work as quickly as possible. As an IT professional, I believe we always want to serve the good of the business as best as possible. But getting something to "just work" can all too often come at the cost of security or at the expense of best practice. This is why it is crucial that business leaders be well aligned with IT and have reasonable expectations. It's important to understand the implications of what lines of business are asking IT to do.
All in all, much of the data and security risk is avoidable. While users and business leaders have their role to play in reducing organization vulnerability, there are simple things IT can do to keep things in good shape. There's something to be said for IT taking some time, with pencil and paper in hand, to do a physical inventory of business assets and work groups. It's really the simplest form of a non-technology process, and it can be carried over to other types of IT work, whether programming switches and routers, setting up firewalls, or establishing policies.
Take a physical inventory, validate your findings, and make corrections to your inventory reports. This final step is critical, as it translates to another common weakness found in IT and elsewhere across the business -- documentation.
Follow Matt Brunk on Twitter!