It has long been the case that anything to do with security, access rights management and networking systems would fall directly at the feet of the IT department within an organization, but what we need to accept is this is not an IT issue, it is a business issue.
Gone are the days when companies could pass the buck to the IT department when it comes to security headaches.
Businesses and the data they house have become exposed to an increasing number of threats and they need to recognize that data protection is not an IT tick box exercise but a culture and mind-set that needs to be adopted by everyone from the top-down. We are still asking the same questions over and over because the business does not understand the importance of, and how to secure their most precious possession, their data.
Some call it ignorance, others call it laziness or greasy shoulder syndrome at the Board level. The truth is, is that it is a simple lack of understanding at the most senior level within business, because as an industry we assume too much.
Who’s accessing your data?
Unauthorized access to data is a huge downfall for many businesses, and having visibility over who has access to what information within an organization is crucial to keeping data secure.
The leaking of the Paradise Papers last year was a prime example of the necessity to manage, control and report on access to your sensitive data. Aside from exposing the way that the rich and famous manage their finances, the breach also highlighted the significance of data leakage.
According to Appleby, the leak was due to ‘unauthorized outside forces gaining access to their network to steal data' and it looks like the media simply accepted that to be the case. In my opinion, this breach, given the sheer volume of data exposed, was most likely performed by an insider, who, rightly or wrongly, had access to all of this data and felt that it should be exposed to the world.
For many businesses, this should have set alarm bells ringing, raising questions as to who has access to data in my company? Why do they have access to that data? How do they have access to the data? And, what are employees (and/or contractors) doing with that data?
Access Rights
Securing who has access to data within the organization, and gaining visibility of who has given that access, and what users can do with it is paramount. It is not simply a case of requesting that IT flick a switch or push a button to allow open access, but a companywide process enforcing strict policies and following stringent regulations.
Employees need a simple way to ask for access, IT admins need a simple but structured way to grant that access, and senior management need reports that are easy-to-read and digest and offer a clear overview of the access situation at all times.
Access rights management is not just the responsibility of the IT crowd, nor is it the responsibility of the board/c-level execs, but that of every employee.
Given the ability to use the rights tools, IT can build a solution to help the business fix the issue of uncontrolled access rights management, but it still remains a business issue. Only when you have the acceptance from the business that permissions to access folders that contain sensitive data really is a business problem that has to be addressed, will you be able to better secure your data.
Within an organization, permissions need to be given to access data on all these platforms and with employees being promoted, moving to different departments or simply being responsible for new/different things as their role evolves, it's easy to see how those employees continue to gain various permissions without necessarily having any removed. This is exacerbated when organizations allow access based on membership of a group and/or when organizations use different processes and structures, or indeed no structures, to grant access to these various platforms.
By setting up processes and users so that they only have access to what they need, organizations are complying with regulations and minimizing their risk.
Compliance and Education
If businesses are ensuring they have the processes in place, managing access rights, and ensuring employees meet the criteria of this regulation, they are already in good stead, not only to meet compliance, but to demonstrate that data protection is about shared responsibility and acceptance of boundaries and protocols. Keeping a business running smoothly, efficiently and securely, is not about providing access to all areas…not anymore!