Data Privacy: Don't Hand Over the Keys to Your Kingdom

Thursday, May 26, 2011

Lindsay Walker


Employers beware! You might be giving away the keys to the kingdom - or your corporate security - according to a survey released by security firm Cyber-Ark Software.

The survey "Trust, Security and Passwords," included responses from over 1,400 IT and C-level professionals in North America and EMEA.

The survey indicated that unauthorized access to private information is rampant within companies, as an alarming number of employees in the survey admitted to snooping in private corporate data.

Interestingly enough, it was reported that IT professionals are the most likely to poke their noses in places they know they shouldn't.

Survey Results

67% of the IT professionals surveyed admitted to accessing information not relevant to their role and 41% admitted to abusing admin passwords to access sensitive or confidential information.

Unauthorized access to sensitive information can leave a company vulnerable to data leaks, financial and regulatory exposure and reputational damage.

On the brighter side, compared to the results of last year's study, fewer IT professionals this year believe that they can get around privileged access controls.

It's debatable how good that news is, however, since this year's figures reflect that 40% of global IT managers surveyed still believe they can get around controls that monitor privileged access to information.

While internal breaches remain a high risk, 57% of the C-level respondents in the survey felt that that next one to three years will see external threats, such as cyber-criminals, being a greater security risk than threats from with the organization.

Building Walls

In the press release announcing the study, Adam Bosnian, executive vice president Americas and corporate development, Cyber-Ark Software, said:

"Privileged accounts are the key tool that external attackers and insiders leverage to access and exfiltrate an organization's sensitive information.

While the survey shows a greater awareness around protecting these targets from attacks from any vector, it's concerning that nearly one in five of C-level respondents believe that their corporations' sensitive information may be being used against them in the market.

Security teams need to start with improving the protection of these key internal targets - not simply building bigger walls around the enterprise." 

Remove the Temptation

"It's not just IT people, but also HR employees who have access to confidential information in your organization," says Jason Victor, Director of IT at Customer Expressions, developers of i-Sight case management software.

"Putting your data offsite has the added bonus of providing an additional level of segregation from access by organizational IT people. In i-Sight, you can track who has been in different records, you can restrict records to groups within HR and you can mark cases that are confidential that only certain people can see. Because it's not internal, even your IT people can't circumvent it."

Moving Forward

Business leaders need to make sense of the survey results in order to take action to prevent security breaches from occurring.

 "The Common Sense Guide to Prevention and Detection of Insider Threats", published by Carnegie Mellon's Software Engineering Institute, recommends 16 practices that organizations should use to prevent, or facilitate early detection of, insider threats, based on hundreds of case studies of malicious insider activity:

  1. Consider threats from insiders and business partners in enterprise-wide risk assessments.
  2. Clearly document and consistently enforce policies and controls.
  3. Institute periodic security awareness training for all employees.
  4. Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process.
  5. Anticipate and manage negative workplace issues.
  6. Track and secure the physical environment.
  7. Implement strict password and account management policies and practices.
  8. Enforce separation of duties and least privilege.
  9. Consider insider threats in the software development life cycle.
  10. Use extra caution with system administrators and technical or privileged users. 
  11. Implement system change controls. 
  12. Log, monitor, and audit employee online actions. 
  13. Use layered defense against remote attacks. 
  14. Deactivate computer access following termination. 
  15. Implement secure backup and recovery processes.
  16. Develop an insider incident response plan.

Are you doing all these things in your organization to reduce the chances of your employees making off with your privileged information? If not, get started now.

Possibly Related Articles:
Network Access Control
Information Security
Privacy Enterprise Security Access Control network monitoring Data Layered Defenses
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.