The 2010 KPMG Data Loss Survey points to the increasing amount of insider access risk that organizations are realizing. Based on this worldwide report, 20% of data loss incidents this year were cause by people within the organization, up from 4% in 2007. While many security practitioners have done a great job of locking down the perimeter to mitigate external access risks, the same attention and control has not be applied to insider risk.
Blame it on the economy if you will, but insiders seem to have more motive to steal data. And it’s not just personally identifiable information on consumers. We are seeing higher rates of corporate intellectual property being stolen than ever before.
One thing to note that is concerning is the amount of data loss that can be attributed to the healthcare industry and the government! When it comes to the government, if you can legislate control mandates for data privacy, you must abide by the same regulations and rules!
Having an access governance framework that establishes what access is required for a person’s job function (role), provides the ability to enforce access policy controls that will eliminate toxic combinations of access and the visibility to access change events to determine when access permissions are no longer needed is foundational to reducing insider access risk.