Why Access Rights Management should be an enterprise priority
In some ways, the new research claiming that people are still the biggest threat to cyber security is hardly surprising; this has been the case for years now. What is surprising is that even with the GDPR only one year away, this hasn't moved on. It seems that organizations are aware of the problem, which of course is a good thing, but isn't it time we began to see research saying that people aren't a threat anymore because organizations have secured their systems against these types of threats and educated their workforces in the process. That kind of research would be much more heartening. Especially so when other research suggests that there's an IT skills shortage coming soon that could make it even more difficult for organizations to secure themselves against cyber threats.
The Institute of Information Security Professionals (IISP) is behind the new research claiming that people are still the biggest threat to cyber security. The research suggests that people are still not cautious enough about phishing scams such as links or attachments in emails or about visiting websites that might not be safe. The IISP also suggests that there is a lack of technical skill that causes problems and interestingly, it also claims that another problem is with organizations making poor critical decisions around strategy and budgets, suggesting that organizations are not focused on the right ways to prevent cyber attacks.
At the same time, other research from Brocade, which surveyed IT leaders in Australia, France, Germany, Singapore and the US and UK, claimed that the industry is at a tipping point where demand for IT skills simply won't be met in the near future. The research claimed that the UK was lagging behind the other countries with 63 percent of IT leaders in the UK expecting to struggle to find talent next year. Given the continued rise of data breaches and the GDPR fines looming, a skills shortage of the very people who could help prevent these breaches would create the worst, perfect storm for organizations.
Do innocent mistakes count?
Next year, the GDPR comes into effect and any organization holding or processing an EU citizen's data will need to be compliant with the new regulation or risk a fine of up to four percent of global annual turnover or 20 million euro, whichever is greater, in the event of a data breach. It's unlikely that the new regulation will take into consideration whether the breach was caused by an unwitting employee, making a innocent mistake, or a malicious employee, with more sinister motives, when the fines are being doled out. Nor is it likely to be taken into account whether or not organizations can get the right employees. It will more likely be a case of the organization did not do enough to protect its sensitive data and therefore will be fined appropriately. For organizations looking to avoid those fines, all the research points to a need to act quickly.
One part of the new GDPR which is specifically relevant when discussing insider threats is the principle of least privilege which, in short, means that organizations must ensure that only the employees who need access to specific data are allowed to have it; it should not be accessible for anyone else in the business. This is why visibility over who can access what information within an organization is so important. With a specific principle around it, it's not something that organizations can afford to ignore anymore.
Access Rights Management solutions have been around for years and have been deployed by organizations focused on best practice and adhering to governance, risk and compliance requirements within certain industries but with the principle of least privilege and the main tenet of privacy by design within the GDPR, these solutions are now necessary for more than just best practice, they are an integral part of an organization's IT security strategy.
Access Rights Management has traditionally been deployed to help with an organization's Active Directory but as organizations grow and expand, they also need to control access to their File Server, SharePoint, and Exchange, and Access Rights Management solutions have evolved to cover those points of access too.
Securing an organization
It's easy to see how organizations can fall foul of the principle of least privilege. The job for life, for the most part, is a thing of the past. Now, employees move around departments, get promoted or simply accumulate more access as their job role evolves, a problem that is exasperated by allowing access based on membership to a group. Just as permissions need to be given for access to all of these platforms and systems, they also need to be taken away when they're no longer required but without deploying a specific solution, the process is complicated and time-consuming and even more importantly, it's not immediately obvious who has access to what - in the new GDPR world, that's just not acceptable.
The ability to understand, and see, who has access to data within the organization, who has given that access, as well as what users can do with that access, is vital in order to secure the organization against data breaches and protect themselves from the forthcoming GDPR fines. That's not to say that Access Rights Management is the readymade solution for all an organization's GDPR concerns, of course it isn't but without the visibility offered by such a solution, it's almost impossible for an organization to truly secure its sensitive data or meet its governance, risk and compliance requirements.
Visibility and control of who's accessing data is now essential for organizations; to prepare for the GDPR, to comply with GRC requirements, and to simply protect their most valuable asset, their data. Of course, like all IT-focused solutions, and especially so with the expected IT skills shortage, factors such as efficiency, time-saving, and ease-of-use should be high on an organization's list of considerations when choosing a solution. Ultimately, a good Access Rights Management solution should make it easy for an employee to request access to something, otherwise a workaround such as password sharing will likely to found, it should be easy and quick for administrators to understand the validity of a request and grant the access and it should offer easy-to-digest reports for senior management.
A perfect storm is coming. It's time for some organizations to change course or drown in the fines that will come.
Simon Cuthbert, head of International, 8MAN.
Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.
Photo Credit: watcharakun / Shutterstock