Regulating the relationship between individual employees and corporate data is one of the most challenging tasks faced by the IT department. On the one hand, companies have been calling for a more seamless flow of information across the organization so that each worker can let relevant and timely data shape their decisions. But at the same time, overly permissive practices may afford users more power than they are equipped to handle.
As a result, managers must align policy and technology to ensure the company is not promoting productivity at the expense of security and compliance.
From satisfying HIPAA mandates to guarding trade secrets, companies are well aware of how important it is to protect their sensitive data. Too often, however, their focus is directed at the wrong targets. Considering the majority of data breaches are triggered by employee action, companies would be better served to get their own houses in order before worrying about external attackers.
It’s an unfortunate reality to think about, but there have been a number of cases in which malicious insiders abused their access privileges for personal gain. From hospital attendants selling personal health records to disgruntled software engineers downloading proprietary code to take to a rival, there may be more going on beneath the surface than administrators initially see.
Even if employees have only the best intentions, there’s no telling what could happen if someone gets a hold of their network privileges without their knowledge. In fact, some of the most damaging data breaches have followed that pattern. The scandal that shook the South Carolina Department of Revenue late last year began with a simple phishing email that enabled cybercriminals to usurp the credentials of a legitimate user with wide-ranging database privileges.
While these scenarios may send chills down executives’ spines, the good news is that the solutions are well within their control. By developing and enforcing a role-based data governance system, IT teams can give users access to all they need to succeed without handing them added privileges which could be abused.
The first part of the equation includes categorizing data and applications according to sensitivity, and determining access needs for each employee group. Some rules will have to be customized to the individual, but it is important to establish the same sense of accountability from entry level to C-level by ensuring everyone adheres to the rule of least privilege.
Finally, IT teams must choose their technology of choice to monitor access behavior and confirm group- and object-based rules are being followed. As network ecosystems expand to include more users, devices, and transactions, companies should look toward centralized platforms which afford administrators all the visibility they need to spot signs of trouble and intervene early.