We’re all enthralled, and at the same time made anxious, when we read reports about hackers and cyber-thieves getting into seemingly well-protected troves of data.
And when the information gained is juicy, like the email files taken in the recent Sony breach, we might even get a bit of a voyeuristic thrill as we comfort ourselves in the belief that we have better security than that company, which maintained a file entitled “passwords” where it kept the log-in credentials of employees. But maybe (no, probably) we have a false sense of security given the findings of a recent study by the Ponemon Institute, which indicates that internal data breaches caused by inadequate access control are a far greater risk than being attacked from the outside.
In fact, the study boldly states “Insiders with too much access are the most likely cause of data leakage,” and finds that fully 71 percent of employees report having access to data they should not see, while only 32% of the IT professionals surveyed believe that end users sometimes have more access privileges than they need to do their jobs. I recommend reviewing all of the findings in this timely report.
The need to establish stronger access control frameworks has never been greater. Beyond stories of employees deliberately abusing their access rights for personal gain or revenge, and tales of accidental breaches caused by moving data from secure locations to personal devices, the fact is that organizations are more complex than ever and so must be the rules and controls over access.
In large organizations, there may be thousands of role changes over short periods of time; in others employees may report to many superiors and no one person knows what that employee needs to see. Not only that, but the way that ever-changing and growing volume of data is stored makes it difficult to judge where access should begin and end. Over and under approving employee access simply becomes the norm and those decisions are difficult to monitor. The entire system of access control is becoming a greater focus for both internal and external auditors, but the mechanisms for enabling audits are weak. The only way to even begin to adequately control access and the risks it presents, and to be audit ready, is to establish an automated access control framework.
This is the focus of OCEG’s Managing Access Controls to Achieve Continuous Audit Readiness illustration and companion webcast.