How many users in your organization have access to data to which they should not? Do you know? What would it take to determine?
When we are asked to perform a risk analysis for a company, the principals are often shocked to realize the state of their data. From simple disorganization to inappropriate access, the risks can be dramatic.
Many companies have heeded the warnings and do a pretty good job of securing data from outside threats (pretty good is often not good enough, but that’s another post). Often companies don’t understand the risk from failure to control and monitor access from within. Simply put, providing inappropriate access can result in data loss (both accidental or maliciously). Access to sensitive data can compromise the security and privacy of your employees, and your clients. A data breach can incur legal costs, higher insurance premiums, court or government associated penalties, and a loss of reputation and trust.
System Access and Permissions
Most line of business applications allow for multiple levels of access. This enables you to give people only the right level of access. The A/P folks don’t need access to A/R, The Engineers don’t need access to the Sales CRM. And only HR needs access to HR data.
Anyone want a project?
What about data that is outside your applications? For instance your company’s folders and files on the network. Accepted Best Practice is to provide access to only the info needed to do your job. This is often a challenge for smaller companies that have grown quickly. Too many times I have walked into a company to find one large data folder that has myriad subfolders and everyone has full access.
Most IT companies will charge to remediate this since it’s really out of scope from day to day maintenance.
Windows has great mechanisms for securing this kind of data. Organize your data into functional folders, and users should be separated into functional groups. If it’s not part of the job, why give access to the data? The folders and groups are then secured individually to provide access to only those that need. This way, when Bob moves from A/P to SALES, you simply move him from one group to the other and voila! Permissions changed and access adjusted.
This also allows you to control employee terminations. Often we are asked to terminate an employee but leave their email available for their replacement. This is not as simple as it seems. But if we can remove them from all the groups they belonged to and modify their permissions appropriately, the risk is significantly reduced.
If you are subject to HIPAA regulations, your requirements are much more complex, and I will address that in a future column.
Regular reviews of areas of shared access will help to identify potential gaps in security, especially if users cross or have multiple roles. Periodic reviews of permissions can enable an internal layer of security to prevent accidental data loss or malicious action.
Technology is a critical part of your business foundation, and you need to be aware of associated risks that can have an impact. If you are concerned or just curious about things you can do to minimize your risks, give us a call at 866-525-8324. We are happy to speak with you and learn more about your business and environment, and to see if there are ways we can help you manage your risks and meet your goals.