Data theft is a major issue at the moment, with hackers breaking into corporate systems and stealing data almost daily at great cost and disruption. Equally important but less widely reported is insider data theft. No-one wants to admit that their own employees have broken their trust and stolen important data. However ‘money talks’, and sometimes the temptation (or the anger at the company) is too great and your employees take something outside of the security perimeter.
Stopping insider theft completely is impossible – just look at thefts by Government employees where the risk to the individual is imprisonment for decades. But you can take steps to reduce the risk and limit the damage. There are some simple steps that you can take:
- Understand your data. Organisations change over time – by growth, restructuring, amalgamation. IT systems also change. Often the IT systems do not change as quickly as the business, potentially leaving security gaps where data groupings do not keep up with the business structure. Understanding your data is essential. A small amount of your data is critical, some sensitive, and most just confidential. Do you know which is which? Do your IT systems structure the data to allow you to categorize and group the data in a way that allows you to grant access in a controlled way, or is the data all mixed together? And very importantly, how do you find out? Do you have the tools to analyse your data, categorize it, and document where it is held?
- Review your current access rights. Active Directory from Microsoft provides the foundation of most security systems. The basic user / password / groups / access to data structures all exist within Active Directory. If your organisation is larger than 300 people then viewing and understanding the spiderweb of group structures, membership, and rights to data can be complex and difficult to untangle. How many people have old, historical rights granted for a specific purpose that no longer exists? Who has moved departments but still has his previous access rights? Microsoft provide simple, list-based reports, but you need better tools if you want to clearly understand your structures. Visualizing the AD structures is crucial – a picture is worth a thousand words!
- Re-engineer your access rights. With a clearer understanding of what data you need to protect, where it is held, and how your organisation needs to access it, you can start to re-engineer your access rights to reduce risk. Start with your most critical data, and work outwards. People will tell you that touching your AD will beak it, causing disruption and expense. With the average cost of a data breach now estimated at $3.8M, can you afford to leave everything as it is? Equally, when there is a problem you will be under pressure from above to explain. Better to get it right now rather than wait for a problem!
- Delegate Authority. Involve your departmental management in security – they ‘own’ the data and know who should be accessing it! Give them the tools to see who has rights, who is exercising them, and what they are doing with the data. Simply asking IT to grant access provides no security filter, they just do what you tell them without wondering why! When there is a problem it will be the departmental management that are in the firing line, not IT.
- Provide information that clearly shows who has access, to what data, and what they are doing. Your audit & compliance team will love it! If / when there is a problem you will be able to track it down quickly and accurately, and limit the damage done.
Guardian Technologies provides tools and consultancy to help you to understand security risks associated with access rights and secure collaboration. Ask today about our Active Directory Health Check, which will analyse and highlight the top 5 risks within your active directory system.