The Challenge of User Access Permissions
Employees being given too much access to privileged, sensitive company data can put an organisation in danger. In this article, we explore the issues around this subject and how businesses can minimise the risk.
In a recent survey of 900 IT professionals commissioned by IT security firm Forcepoint, it was revealed that 40 per cent of commercial sector respondents and 36 per cent of public sector respondents said they had privileged access to sensitive company data through their work. Also, 38 per cent of private sector and 36 per cent of public sector respondents said that they did not need the amount of access they were given to complete their jobs. The same survey showed that 14 per cent of respondents believed that their companies were unaware of who had what access to sensitive data.
The results of this survey confirm existing fears that by not carefully considering or being able to allocate only the necessary access rights to employees, companies may be leaving open a security loophole.
Risks and Threats
The kinds of risks and threats that could come from granting staff too many privileges in terms of sensitive data access include :
Insider threats can be exceedingly difficult to detect and exact motives vary but the focus is generally to gain access to critical business assets e.g. people, information, technology, and facilities. Insiders may be current or former full-time employees, part-time employees, temporary employees, contractors/third parties, and even trusted business partners. The insider may be acting for themselves or for a third party. Information or data taken could be sold e.g. to hackers or to representatives of other organisations/groups or used for extortion/blackmail. An insider could also use their access for sabotage, fraud, social engineering or other crimes. An insider could also cause (unintentional) damage.
The insider threat has become more widely recognised in recent years and in the U.S., for example, September is National Insider Threat Awareness Month (NIATM).
Intrusions From Curiosity
The digitization of all kinds of sensitive information, and digital transformation, coupled with users being given excessive access rights, has led to intrusions due to curiosity, which can lead to a costly data breach. One example is in the health sector where, in the U.S., data breaches occur at the rate of one per day (Department of Health and Human Services’ Office for Civil Rights figures). Interestingly, Verizon figures show that almost 60 per cent of healthcare data breaches originate from insiders.
Accidental Data Sharing
Some employees may not be fully aware of company policies and rules, particularly at a time when the workforce has been dispersed to multiple locations during the lockdown. A 2019 Egress survey, for example, revealed that 79 per cent of employers believe their employees may have accidentally shared data over the last year and that 45 per cent sent data to the wrong person by email. Unfortunately, the data shared or sent to the wrong person may have been sensitive data that an individual did not need to have access to in order to do their job.
If hackers and other cybercriminals are able to obtain the login credentials of a user that has access rights to sensitive data (beyond what is necessary) this can provide relatively easy access to the company network and its valuable data and other resources. For example, cybercriminals could hack or find lost devices or storage media, use social engineering, or use phishing or other popular techniques to get the necessary login details.
How Does It Happen?
The recent Forcepoint and the Ponemon Institute survey showed that 23 per cent of IT pros believe that privileged access to data and systems are given out too easily. The survey results suggest that employees can end up having more access rights than they need because:
- Companies have failed to revoke rights when an employee’s role has changed.
- Some organisations have assigned privileged access for no apparent reason.
- Some privileged users are being pressured to share access with others.
How To Stop It
Stopping the allocation of too many privileged access rights may be a holistic process that considers many different aspects and activity from multiple sources, including:
- Incident-based security tools. Although these can alert the organisation to potential problems and can register logs and configuration changes, they can also give false positives and it can take a prohibitively long time to fully review the results, find and plug the breach.
- Trouble tickets and badge records.
- Reviews of keystroke archives and video.
- User and entity behavior analytics tools.
- The challenge is that many organisations lack the time, resources, and expertise to piece all these elements together in a meaningful way.
It appears that where there is a disconnect between IT managers and staff, and where access rights are not regularly monitored or checked, a whole business or organisation can end up being in danger. Some security commentators suggest that the answer lies in easy-to-use technology that incorporates AI to help monitor how data flows and is shared to bring about the necessary visibility as regards who has access and what they’re doing with that access. Always seeking verification and never acting simply on trust is a key way in which organisations can at least detect malicious activity quickly.