We all know the GDPR is coming into effect in approximately one year's time and will be relevant to any organisation holding or processing an EU citizen's data. We also know that insider threats, be they malicious or not, remain one of the key causes of data breaches. The principle of least privilege is just one part of this new regulation but it's an important part as it involves access to the data of these EU citizens; it means that having visibility over who's got access to what information within an organisation is now more important than ever and that's something that Access Rights Management can help with.
Of course, hackers and cyber-crime present a huge threat to an organisation's data security but insider threats can be equally huge and one that organisations need to have robust policies and solutions for, as they do for hackers. Indeed, while cyber-criminal groups dominate the column inches, insider threats are almost as prevalent. For example, in New York, where firms have been required by law to report breaches since the Information Security Breach and Notification Act came into force in 2005, the Attorney General said that 40 percent of breaches in 2016 were the result of hacking but 37 percent were caused by insider threats.
Insider threats come in many forms, they can be threats from innocent employees that simply make mistakes, they can be threats from employees who are being leveraged by outside forces, or they can be malicious threats from employees themselves that normally only come to the fore when those employees have moved to another organisation. This is potentially the case with a former IT focused employee of Columbia Sportswear, an Oregon-based company who moved to Denali, an IT services company but not before allegedly installing two backdoors into Columbia's networks and then using them to check Columbia's emails to gain insider information about Columbia's transactions with other IT providers, for which he is currently being sued.
But research by RedOwl and IntSights suggests that employees are not always coerced to leak insider information, in some cases, it's merely a matter of information in return for cash on the dark net. They claim that chatter about this kind of “recruitment” doubled between 2015 and 2016 and that it is currently active and growing. Interestingly, the researchers also go on to claim that 80 percent of security initiatives are focused on perimeter defences and that less than half of organisations even have a budget for insider threat initiatives.
One of the main tenets of the GDPR is privacy by design and for organisations preparing for the introduction of the GDPR on 25th of May next year, following the principle of least privilege, whereby only those who require access to certain data for the purposes of their day-to-day jobs are allowed access to it, is one way to defend your data, especially from insider threats. As per much, if not all, of the GDPR, the principle of least privilege is simply a matter of best practice. By setting up processes and users so that they only have access to what they need, organisations are complying with regulations and minimising their risk. With the GDPR fines of up to four percent of global annual turnover or €20 million for a breach, acting to minimise the potential of a breach is a no brainer.
Access rights management is needed not only for Active Directory but also an organisation's File Server, SharePoint, and Exchange. Within an organisation, permissions need to be given to access data on all these platforms and with employees being promoted, moving to different departments or simply being responsible for new/ different things as their role evolves, it's easy to see how those employees continue to gain various permissions without necessarily having any removed. This is exacerbated when organisations allow access based on membership of a group and / or when organisations use different processes and structures, or indeed no structures, to grant access to these various platforms.
Securing who has access to data within the organisation, and gaining visibility of who has given that access and what users can do with that access is paramount in today's world of insider threats. Access Rights Management isn't the full GDPR-ready solution but without the visibility it offers, it's impossible for an organisation to protect its data or indeed meet the governance, risk and compliance requirements of many industries especially legal, healthcare and banking where auditing is commonplace, as well as the public sector more generally.
Organisations need to employ solutions that give them the visibility and control they need in order to protect access to their data. They need to do this in order to continue to do business within their chosen markets, to comply with new regulations such as the GDPR but also to protect one of their most valuable assets - the data itself. Of course, like all IT-focused solutions, organisations need to choose something that's efficient and effective but also easy-to-use. Employees need a simple way to ask for access, IT admins need a simple but structured way to grant that access, and senior management need reports that are easy-to-read and digest and offer a clear overview of the access situation at all times. Ultimately, the organisations that will thrive tomorrow are the ones who know exactly who's able to access their data today.
Contributed by Simon Cuthbert, head of international, 8MAN
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.