There’s a plethora of cyber security threats that IT professionals need to protect their data from. But, what if one of those threats are entirely unmanageable? A recent study conducted by U.S. tech consulting company CEB, found 90% of employees have violated IT policies designed to prevent security and data breaches.
What does this mean?
Many companies are spending thousands, if not millions of dollars in information security. Their primary focus being outside hackers, who intentionally are executing malicious attacks. But what about internal controls? Many companies feel secure with their internal controls, believing their access administration rights will prevent employees from gaining access to information they do not need to have access to. However, the study by CEB found many employees will work their way around these controls to obtain information. Many times, these workarounds are intentionally malicious; however, they lead to unintentional breaches.
What to do next…
Internal audit – I know, I know, I know…we hear “audit” and think NO WAY! But honestly, it is helpful. Conducting an internal audit of the access administration process can be incredibly helpful. Their job is to identify controls. Since they do not work in each department day in and day out, they provide a fresh insight into the process. They will also provide suggestions on strengthening controls.
Employee awareness – Informing employees of what access rights they have, and the purpose for each, can be enlightening for both management and the employees. Many times, employees don’t understand why their access is limited. Understanding why they do or don’t have access to a certain system or file can help them to understand the security risks of sharing credentials with other employees who don’t have the same access.
Following up – On occasion, employees may need access to something they typically don’t need access to. Providing these rights are acceptable; however, IT admins need to remember to remove the access rights once the necessary information has been obtained. It is best practice to review employee access administration rights annually to ensure accuracy.