On Aug. 9, 2022, two former Twitter employees we found guilty accepting bribes from Saudi Arabia in exchange for confidential information stolen from the accounts of thousands of users, most of whom are critics of the Saudi government. Authorities say the employees stole email and IP addresses, biographical information, log data and more, even though their jobs did not require access to such information.
The case highlights the risk of allowing employees to have unrestricted access to company data, including confidential personal information, trade secrets and intellectual property. Organizations that allow access to all company data are more likely to experience a data breach compared to those that limit access to what employees need for their jobs.
Access control has always been a fundamental element of information security, but the process has become more complicated. An increasingly mobile, remote and collaborative workforce requires access to company data from beyond the office. This free flow of information increases the risk of data breaches, whether intentional or accidental.
Despite the risk, organizations aren’t doing enough to manage and control data access. In a recent survey from Netwrix Research Lab, 75 percent of IT professionals said they review access rights periodically, but 81 percent of those said they do so manually. Manual review often relies on an email or instant message to confirm access rights, which does not meet regulatory requirements and increases the risk for human error. Moreover, 41 percent said they conduct reviews without involving business users, even though IT is likely not in the best position to determine which access rights are appropriate.
While conventional perimeter security measures remain essential, organizations need to implement a variety of processes and tools that will allow them to strictly enforce data access controls. Consider these six steps:
Take inventory. Review your environment to determine what data you have, who’s responsible for it and which users may have access to it. Note that a “user” may not correlate to a specific person. Defunct and shared access credentials can be especially problematic.
Classify your data. Organizing data by owner, type, sensitivity and value can make it easier to establish access controls. Discovering, evaluating and tagging data also helps organizations meet a variety of regulatory compliance requirements.
Organize your file system. In order to control access, you’ll need to organize the files according to category and risk level and assign file and folder access permissions accordingly. This is not a “set and forget” process — files should be reviewed, moved, archived or deleted as appropriate throughout their lifecycle.
Establish processes. Give data owners the right and responsibility to determine which user roles are allowed access to their data. Establish workflows for requesting, granting and managing access, with separation of duties among multiple people. Review access privileges periodically to ensure they align with the user’s current role.
Enforce “least-privilege” access. Only give users access to the systems and resources they need to do their jobs. In addition to preventing intentional or accidental data exposure, least-privilege restrictions can help prevent threats from spreading through the network.
Use network access control. NAC solutions help organizations manage and control which users and what devices can access corporate networks based on policies, including endpoint configuration, authentication and user identity. In industry surveys, NAC consistently ranks as the most-trusted security technology on the market.
Employees need anytime/anywhere access to company data in order to do their jobs, but they don’t need access to everything. Allowing unrestricted data access increases the risk of a data breach, whether intentional or accidental. Verteks can help you evaluate your current data protection strategies and help you implement processes and tools to ensure appropriate levels of access control.