[BreachExchange] How To Prevent Employee-Caused Data Breaches

[Audrey McNeil]

http://www.forbes.com/sites/kpmg/2016/10/01/how-to-
prevent-employee-caused-data-breaches/#1c33f59d4995

Those who are most likely to steal your company’s sensitive data aren’t
necessarily experienced hackers living halfway around the world. In fact,
they might be sitting in your office.

Employees are known to be among the top thieves of corporate data. In fact,
47 percent of employees think that someone at their company would try to
obtain someone else’s access rights in order to steal company information,
according to a 2014 survey by the Ponemon Institute.

Aside from malicious insiders, sometimes employees unwittingly access
sensitive information and hand it to the wrong people. The maze of complex
international privacy regulations have made it harder in some respects for
employees to protect data. What is considered sensitive in some
jurisdictions may not be in others. And, as more companies rely on outside
contractors or allow third-party vendors to access their internal systems,
securing data has become an even larger concern.

To prevent internal breaches, more companies are using a “privileged access
management” (PAM) solution. This is a tool that allows organizations to
control who has access to the company’s various information systems using
passwords and other authentication methods. It also creates a continuous
audit trail so an organization can see each time an administrator or
employee has accessed the systems, when and from where.

How PAM solutions are used varies among organizations based on their
particular cyber risks and concerns. But in general, they can:

Allow companies to designate who can access various systems, and easily
turn off someone’s access when it’s no longer needed.
Require regular password changes among highly sensitive accounts.
Administer one-time passwords that expire after a set period of time.
Require users to present multiple types of authentication when logging into
certain accounts.
Frequently rotate passwords to prevent brute-force or offline cracking
attacks.
Record video of privileged users’ logged-in sessions.

Any company can use a PAM solution, but it is particularly useful for a
company that:

Has highly sensitive information or data to protect, such as personably
identifiable customer information, which is forbidden by various
jurisdictions to be used and/or shared without the express consent of the
individual.
Has outside contractors or vendors who need to access sensitive company
systems.
Lacks the ability to know each time an employee or contractor has accessed
a privileged account.
Wants stronger password protection, allowing each person with access to
sensitive accounts to have a unique password.
May be subject to compliance requirements for the recently announced New
York Department of Financial Services’ proposed cybersecurity requirements
for Financial Services Companies.

Before deploying a PAM solution, a company should take these steps to
ensure it will use it most effectively.

Understand your risks and needs. Conduct an inventory of the systems or
accounts that need protecting and how many people will need to be given
access to those accounts. Develop criteria for the types of accounts that
should be recorded regularly, and determine things such as how often
privileged users should be required to change passwords.

Create a road map. Writing out a plan and objectives for PAM deployment
over the next three to five years will help you understand the costs and
value.

Get leader buy-in. Make sure company leaders understand the value of PAM
and how it will be implemented. Pushback is likely as PAM will be a
cultural change for most IT administrators.

Keep it manageable. Plan the implementation of PAM to occur gradually, in
reasonable chunks rather than all at once. This provides the support team a
longer window in which to become familiar with the tool while supporting a
smaller subset of end users.

Companies that have sensitive data that need to be protected should be just
as concerned about breaches on the inside as those that come from far-flung
cyber attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161003/65a06598/attachment.html>