Few organizations would give every employee access to HR and accounting systems. But an astonishing number of organizations fail to control access to other sensitive information.
A 2019 study by Varonis Data Lab found that 53 percent of companies had at least 1,000 sensitive files that could be accessed by all employees. Almost one-quarter (22 percent) of folders in a company’s file system were open to all employees.
In the 2020 Data Risk and Security Report by Netwrix Research Lab, 30 percent of system administrators admitted that they have granted direct access to sensitive and regulated data based only on a user’s request. More than half (54 percent) of organizations fail to follow the best practice of reviewing user access rights to data on a regular basis.
Although 54 percent of organizations feel confident that their employees are not sharing data inappropriately, few track it. Their confidence may be misguided: In a 2019 study conducted by Sapio Research, business decision-makers admitted that they use personal email, messaging apps and social media to share company files.
The risks associated with these behaviors are substantial. Employees who have unfettered access to sensitive files can download them to their personal devices, upload them to insecure cloud platforms and share them outside your organization. If hackers were to gain access to an employee’s user credentials, they would have the ability to steal all that data.
These 10 steps can help you regain control:
- Make sure executive management, department heads, IT administrators and end-users understand the risks associated with uncontrolled data access.
- Take inventory. Review your hardware, applications, databases, files, users and job functions, and determine who currently has access to what.
- Assess risk. Determine the level of business, legal and regulatory risk associated with access to each IT resource.
- Develop policies. Working with stakeholders throughout the organization, develop policies regarding the classification of data and which user roles may be allowed access to each data type.
- Enforce “least privilege” principles. Grant users access to the data, applications and systems required to do their jobs and nothing more.
- Assign responsibility. Determine who will be responsible for reviewing and approving requests for access permissions, with separation of duties among multiple people.
- Implement procedures. Develop detailed workflows for responsible individuals to follow when applying policies to access requests for each IT resource.
- Track changes. Whenever there’s a change to your IT environment, review security policies and access privileges to ensure they meet risk guidelines.
- Monitor and review. Monitor access to resources and periodically review access privileges for alignment with the user’s current role.
- Maintain an incident response plan. Develop and maintain procedures for reporting, investigating and handling incidents of unauthorized access and data leakage or exposure.
In order to control access to data files, you’ll need to organize the files according to category and risk level and assign file and folder access permissions accordingly. You should also implement full-lifecycle data management procedures. Determine how long each category of sensitive data needs to be maintained, and develop processes for reviewing, archiving and deleting those files when appropriate.
Giving every user in your organization full access to every file greatly increases your risk of a data breach. SSD is here to help you assess your environment and develop policies and procedures for granting appropriate access to each IT resource.