In a separate Cyber-Ark global survey into “Trust, Security & Passwords” of more than 400 senior IT professionals both in the US and UK, mainly from enterprise class companies, 35 percent of IT workers admitted to accessing corporate information without authorization. The types of information this audience would target was proprietary data and information that is critical to maintaining competitive advantage and corporate security. Ominously, 1 in 5 companies confessed having experienced cases of insider sabotage or IT security fraud.
When staff take data and cause a security incident, it tends to be filed away as an example of an “employee gone bad.” In reality it constitutes a failure of the organization to uphold its responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems or indeed have any controls actually in place to actually manage and control staff from causing breaches. The failure stems from the ‘perception of control’ an organization has over their most sensitive networks, systems and devices versus the stark reality that this control is most often not in place across the organization. What can be done to protect sensitive data from an increasingly unsettled, and to some extent desperate, workforce?
Trust is not a security policy
To significantly cut the risk of these insider breaches, employers must have appropriate systems and processes in place to prevent prying personnel. One approach to address this challenge is a privileged identity management holistic approach using solutions such as digital vaults, especially valuable for users with high levels of enterprise/network access as well as those handling sensitive information and/or business processes. Instead of trying to protect every facet of an enterprise network, digital vault technology creates safe havens – distinct areas for storing, protecting, and sharing the most critical business information – and provides a detailed audit trail for all activity associated within these safe havens. This encourages secure employee behavior and significantly reduces the risk of human error.
For organizations serious about preventing internal breaches, be they accidental or malicious, here are five steps to protecting company data from desperate employees tempted to steal secrets.
Step 1: Establish a safe harbor
By establishing a safe harbor, or vault, for highly sensitive data (such as administrator account passwords, HR files, or intellectual property including corporate databases), security is built directly into the business process independent of the existing network infrastructure. This will protect the data from the security threats of not only nosy employees snooping around for information they should not be privy to, but also from hackers.