The role of Access Rights Management in cyber security

With new research claiming people are still the biggest threat to cyber security, organisations must make managing what their employees have access to a priority, before it's too late.

In some ways, the new research claiming that people are still the biggest threat to cyber security is hardly surprising; this has been the case for years now. What is surprising is that even with the GDPR only one year away, this hasn't moved on. It seems that organisations are aware of the problem, which of course is a good thing, but isn't it time we began to see research saying that people aren't a threat anymore because organisations have secured their systems against these types of threats and educated their workforces in the process. That kind of research would be much more heartening. Especially so when other research suggests that there's an IT skills shortage coming soon that could make it even more difficult for organisations to secure themselves against cyber threats. 

The Institute of Information Security Professionals (IISP) is behind the new research claiming that people are still the biggest threat to cyber security. The research suggests that people are still not cautious enough about phishing scams such as links or attachments in emails or about visiting websites that might not be safe. The IISP also suggests that there is a lack of technical skill that causes problems and interestingly, they also claim that another problem is with organisations making poor critical decisions around strategy and budgets, suggesting that organisations are not focused on the right ways to prevent cyber attacks.

At the same time, other research from Brocade, which surveyed IT leaders in Australia, France, Germany, Singapore and the US and UK, claimed that the industry is at a tipping point where demand for IT skills simply won't be met in the near future. The research claimed that the UK was lagging behind the other countries with 63 per cent of IT leaders in the UK expecting to struggle to find talent next year. Given the continued rise of data breaches and the GDPR fines looming, a skills shortage of the very people who could help prevent these breaches would create the worst, perfect storm for organisations.

Do innocent mistakes count?

Next year, the GDPR comes into effect and any organisation holding or processing an EU citizen's data will need to be compliant with the new regulation or risk a fine of up to 4 per cent of global annual turnover or 20 million euro, whichever is greater, in the event of a data breach. It's unlikely that the new regulation will take into consideration whether the breach was caused by an unwitting employee, making a innocent mistake, or a malicious employee, with more sinister motives, when the fines are being doled out. Nor is it likely to be taken into account whether or not organisations can get the right employees. It will more likely be a case of the organisation did not do enough to protect its sensitive data and therefore will be fined appropriately. For organisations looking to avoid those fines, all the research points to a need to act quickly.  

One part of the new GDPR which is specifically relevant when discussing insider threats is the principle of least privilege which, in short, means that organisations must ensure that only the employees who need access to specific data are allowed to have it; it should not be accessible for anyone else in the business. This is why visibility over who can access what information within an organisation is so important. With a specific principle around it, it's not something that organisations can afford to ignore anymore.

Access Rights Management solutions have been around for years and have been deployed by organisations focused on best practice and adhering to governance, risk and compliance requirements within certain industries but with the principle of least privilege and the main tenet of privacy by design within the GDPR, these solutions are now necessary for more than just best practice, they are an integral part of an organisation's IT security strategy.

Access Rights Management has traditionally been deployed to help with an organisation's Active Directory but as organisations grow and expand, they also need to control access to their File Server, SharePoint, and Exchange, and Access Rights Management solutions have evolved to cover those points of access too.

Securing an organisation

It's easy to see how organisations can fall foul of the principle of least privilege. The job for life, for the most part, is a thing of the past. Now, employees move around departments, get promoted or simply accumulate more access as their job role evolves, a problem that is exasperated by allowing access based on membership to a group. Just as permissions need to be given for access to all of these platforms and systems, they also need to be taken away when they're no longer required but without deploying a specific solution, the process is complicated and time-consuming and even more importantly, it's not immediately obvious who has access to what - in the new GDPR world, that's just not acceptable.

The ability to understand, and see, who has access to data within the organisation, who has given that access, as well as what users can do with that access, is vital in order to secure the organisation against data breaches and protect themselves from the forthcoming GDPR fines. That's not to say that Access Rights Management is the readymade solution for all an organisation's GDPR concerns, of course it isn't but without the visibility offered by such a solution, it's almost impossible for an organisation to truly secure its sensitive data or meet its governance, risk and compliance requirements.

Visibility and control of who's accessing data is now essential for organisations; to prepare for the GDPR, to comply with GRC requirements, and to simply protect their most valuable asset, their data. Of course, like all IT-focused solutions, and especially so with the expected IT skills shortage, factors such as efficiency, time-saving, and ease-of-use should be high on an organisation's list of considerations when choosing a solution. Ultimately, a good Access Rights Management solution should make it easy for an employee to request access to something, otherwise a workaround such as password sharing will likely to found, it should be easy and quick for administrators to understand the validity of a request and grant the access and it should offer easy-to-digest reports for senior management.

A perfect storm is coming. It's time for some organisations to change course or drown in the fines that will come. 

Simon Cuthbert, Head of International, 8MAN
Image Credit: 8MAN