Many small and medium-size business (SMB) owners and company executives labour under a common misapprehension.
They believe responsibility for IT hygiene and preventing data breaches belongs exclusively to those in IT. It’s a state of mind that many of my friends working in IT come up against time and again, causing them to shake their heads in frustration.
Moreover, if you are one of those people then it’s highly likely you are putting your business at risk.
Cooperation across the business
A company’s data security position depends on the cooperation of people from every part of the business. If just one person falls short the result is poor IT hygiene and increased risk of a data breach.
Running hardware that has not been properly configured or software that is out of date are two examples – both of which, most certainly, fall within the domain of your IT people. But they cannot be held responsible for any non-IT staff who ignore company policy or security best practice.
Sometimes ordinary employees do extraordinary things. Such as extend their IT privileges to give them access to systems and information beyond their job function. Or someone with a grudge or who is leaving deliberately tampers with data or takes it to a competitor.
Tools do exist that allow IT staff to spot the tell-tale signs of privilege abuse or data tampering and take early action before a breach can occur.
Yet all too often the guys in IT have to operate with squeezed budgets and are forced to make sacrifices. Last year’s Experian breach demonstrates vividly how slashing budgets too far can render even the most basic security measures vulnerable to attack.
Also ongoing scrutiny of the data behaviour of trusted employees is a low priority at best. Other activities such as improving defences against external threats and managing strategic projects take precedence.
Unhappily many firms do cut corners when it comes to systems security. It’s a risky strategy that means data breaches can only be avoided if IT and non-IT staff are well drilled in security best-practice and wholly committed to doing their bit to help each other.
‘Us and Them’
Most of the time, however, an ‘Us and Them’ mentality prevails. Our own 2018 Netwrix Cloud Security Report reveals the biggest cloud security concern is risk of unauthorized access (69%) and when something does go wrong the finger is mostly pointed (39% of the time) at the guys in IT.
People need to realise that data security is best served by everyone pulling together. Something as simple as good two-way communication channels between the IT team and the rest of the business can make all the difference.
For example, the business folks may work on something that creates files with sensitive customer information inside. Unless they draw this to the attention of IT the steps necessary to secure them properly may be missed. Such gaps in communication are exactly what hackers are hoping to exploit.
More regulation on the way
The cost of a data breach is expensive. In a 2017 study of more than 235 publicly disclosed breaches the average cost for each lost or stolen record containing sensitive and conﬁdential information was $141. And it’s about to get more costly still. The regulatory environment is tightening.
By now most people will be aware of new regulations such as PSD2, open banking in finance and General Data Protection Regulation (GDPR) for safeguarding the data of EU citizens that are set to come into force this year. Failure to comply with the latter carries a penalty of up to 20 million Euros or 4% of annual turnover.
With this in mind, here are four steps for everyone in the business to follow to improve your IT hygiene and reduce the risks of your company joining the year’s growing list of breach victims:
1. Identify instances of poor IT hygiene
Begin with an accurate assessment of current risks in your business. Don’t rely on assumptions or opinions; this baseline needs to be evidence-based. Most organisations are pretty good at establishing perimeter defences. So start with a closer look at internal systems, with particular focus on user access permissions and the data they provide access to.
2. Prioritise clean-up based on risk
Once the baseline is established, the priorities should stand out pretty clearly. Don’t forget to involve non-IT people in the process. They may have a very different perception of where the high-value assets reside. This is probably going to be where the sticking points will be. Non-IT staff will be adamant that their department/people must have unrestricted access to a particular folder.
This is where evidence-based reporting tools can be used to show how people are gaining access to the data, when they last accessed it and what they do with it. Without extensive forensics, it can be hard to explain why particular access rights need to be removed.
3. Rinse and repeat
Too many organisations think of risk reduction as a one-off activity. In fact it should be a continual process that needs to be performed on schedule and automated as much as possible. Even a small change to a configuration file or a user’s access rights can have huge impact on data vulnerability. These changes happen constantly and you need to stay on top of them to minimise the risk.
You only need to look at how many patches Microsoft issues each year to understand how important regular updates are for security.
4. Better communication
Businesses need to be better at communicating what constitutes risk. If it falls to a member of the IT team to explain risk to the rest of the business make sure they use language they can identify with and steer clear of dry, technical jargon.
In summary, as a small and medium-size business (SMB) owner/company executive you need to understand how you can help basic IT hygiene practices to be adopted company-wide. Put simply, if you are not part of the security effort you are part of the problem.
Matt Middleton-Leal, GM, EMEA of Netwrix
Image Credit: SFIO CRACHO / Shutterstock