Access rights: An issue for IT or management?

Growing cost-pressure on IT departments can often lead to resourcing issues, reducing the time available to manage – what should be basic – processes such as access rights management. It is easy to lose sight of what access privileges have been assigned to whom, meaning data security and integrity can no longer be guaranteed. Despite this risk, most companies pay insufficient attention to the very real security threat from within.

According to IDC, 80-90 percent of security breach cases occur as a result of the threat to company data from inside the business. In a seperate study by the United States Secret Service in conjunction with Verizon, it has shown that 48 percent of data breaches occur as a result of internal privilege misuse. Both of these studies confirm the prevalence and dominance of internal security threats as the primary source of danger.

This is not necessarily malicious or intentional, but can often be a result of neglect or personal error. While most companies are aware of, and focused on, external threats, employing tools such as firewalls, anti-virus software and spam filters, the risk of employees having access to confidential information is often ignored.

Compliance demands brought about by government and industry regulations must also be considered, as these compel organisations to retain information for specific periods of time. Sensitive documents concerning financial information, personnel records, top-secret research and development, etc, all need to be managed effectively.

IT departments are therefore faced with a constantly increasing volume of data, potentially across a number of systems, making management of access privileges complicated and time consuming.

One common source of access rights management issues arises from what is known as the ‘apprentice’ or ‘intern’ effect. Temporary employees, such as interns, are often given various assignments in different departments across the business. In each department they are assigned new, additional, access rights.

However, the previous rights are seldom revoked. As an employee continues to move between departments, they could end up accumulating access rights to a broad range of company-critical data, including employment contracts, confidential HR information and sensitive financial data. In order to circumvent this issue, a solution is to assign the apprentice or intern with temporary access rights that are revoked after a clearly defined period of time.

It is, however, important to realise that the IT department will have limited insight into why any individual employee should have access to what directories and for how long – something which a given employee’s manager will have a much better grasp of.

Employees can also often accrue access rights as a result of promotion or departmental adjustments, office relocation or organisational changes when taking on project based work. These problems often stem from a disconnect between IT departments and managers. As employees move between project work, new directories and folders are created on IT networks – not always with the IT department’s express permission or knowledge.

Ideally, IT departments must revoke rights to closed projects immediately, and assign the appropriate rights to new project folders. If this is not managed effectively, there is a real danger of access rights not being set correctly from the outset. In addition, this can also lead to employees feeling frustrated at not being able to access the information they require.

Valuable working time is consequently lost, threatening project timelines and deliverables which can lead to overt pressure being placed on IT departments to assign excessive access rights. We have found that 65 percent of all users have access to company-critical data due to a permissions oversight, clearly illustrating the lack of importance placed on ensuring that company data is only accessed by the correct individuals.

Companies need to implement a proper access rights management strategy or they will face a constant struggle to maintain control of their data and ensure its protection from misuse. By moving the process of assigning access rights away from IT departments, into the hands of managers, businesses can take control of their data, and who has access to it.

In order to reduce costs while simultaneously improving the quality of internal workflows, companies need to look at the standardisation and streamlining of internal processes. Better administration of data access rights, facilitating improved management of company data is one area where such streamlining can provide time and cost savings, as well as enhancing security and compliance.

Steven Bennett is head of channel in the UK and is responsible for establishing channel partnerships for Protected-networks.com in the UK and Nordic countries, promoting access rights management as a solution to the internal threat to a company’s data. Prior to his appointment as head of channel at Protected-networks.com, Steven worked as key account manager at energy trading and risk management software solution provider OpenLink, and before that as director of client relations at video distribution platform provider The NewsMarket.