It’s almost the end of 2021, and many companies have either completed their digital transformation initiatives or are at least part way through a multi-year plan.
Digital transformations have many shapes and forms, and each company involved in a transformation effort needs to define their own needs. Whether a software product is being installed or a new application is built, securing the platform is a key area to tackle in any transformation initiative.
Many companies believe that they have adequate security controls in place for access controls. Identity and access management is a big business and no wonder – the ability to understand privileges at the user level and have the visibility into a digital footprint is imperative to keep an environment secure. Stopping to consider who should have access to a data set and the reasons why the access is needed, is a mammoth job and not every organization has the ability and resources to fulfill this task.
Access levels start when someone walks through your company’s front door or signs into the network. It’s easy to take access levels in stride and not provide any real guidelines for control, but this isn’t the right stance to take; especially with privacy laws being enacted across the globe and rising customer expectations.
Data privacy is only one area of the puzzle. Companies that have fallen victim to a data breach know that it only takes one time to lose a brand’s reputation, and in today’s cancel culture, there is too much at stake to lose market share, and especially when managing access controls is a relatively simple problem to resolve.
Let’s look at the statistics. Not knowing what a user has access to can be costly. According to CSO magazine and a new report from IBM and the Ponemon Institute, the average cost of a data breach in 2020 was $3.86 million. And according to Sophos, in2021, the average global cost to remediate a ransomware attack rose to $1.5 million, more than double the previous year’s average ($761,106).
If those statistics aren’t enough to catch your interest, then the GDPR regulation and recent fines should make you concerned. In 2019, Marriott International was fined by the Information Commissioner’s Office (ICO), $136.6M (£99 million) for GDPR infringements relating to a cyberattack, where personal data was exposed for 31 million European residents. The fine is one of the largest issued by the ICO. In their report, the ICO concluded that Marriott International failed to take sufficient due diligence regarding customer data and should have implemented stringent security measures. This wasn’t just a cyberattack, people had access to data where they shouldn’t have had it and a crafty cybercriminal was able to take serious advantage of them.
While everyone understands the importance of securing the network with adequate controls, further limiting access to data is another large part of having a security strategy. Access levels start at the login phase, with users being granted access and privileges to a set of data that is associated with their position and level of responsibility. Maintaining adequate records when changes occur is another consideration. If an employee moves to another role, their access privileges may not need to follow them. Audits and periodic reviews are necessary to ensure that each user maintains an access level that is appropriate with their span of responsibility. There are many tools on the marketplace that can help maintain an adequate access control posture and they are worth looking into.
In the security industry, we abide by a rule of ‘least privilege access’, meaning if a user doesn’t need to see a set of data, they shouldn’t be given access to it. Let’s go back to the digital transformation to make a point of the importance of adequate access controls. If your company is implementing a new enterprise resource planning tool (ERP), would you give a financial analyst the same signing authority as the CFO? Of course not, but when access levels are not considered – this scenario could be realistic in your company. The same situation could be considered with a new customer relationship management (CRM) application. Should sales reps be allowed to access and download customer data? If so, maybe they will take the information to their next company.
Realizing that some of you reading this article are thinking ‘My company knows the importance of access controls for our employees’, but my question to you is ‘Have you checked’
@2021 All Rights Reserved
Sue Bergamo is the VP of Global Security at ActiveCampaign and can be reached at sbergamo@activecampaign.com. As an executive, Sue brings her leadership and broad technology experience to help companies concentrate on growth by promoting innovation, and productivity enhancements through application development, infrastructure operations, data analytics, business process optimization within a secure environment.
*The content within this article are the sole opinions of the author.