We get news about successful hacks, breaches and ransomware basically every week. As a consequence, stock listed companies often see their stock prices plummet, their reputation takes a hit and their brands tarnished. In some cases, the general public might take their business elsewhere.
But there’s more to the story of cyber security incidents: a failure to act and report in a timely fashion increasingly comes with a concrete price tag and the consequences are long-lasting. Moreover, ignoring proper access controls to sensitive data is now considered as serious as a malicious attack from the outside.
Let’s have a look at some real-life cases and some questions organizations should be asking themselves.
1. Critical data governance or the wild west?
Talking about access governance, it also bears reminding that cybersecurity is no longer only about breaches from the outside. Companies must also understand how, by whom and with what authority sensitive data is being accessed and used within their organization. Failure to comply might now be treated with similar severity as an outside breach.
Centro Hospitalar Barreiro Montijo, a hospital in Portugal was fined for neglecting proper access controls and allowing ungoverned access to medical and health data. In practice, personnel who were not physicians or no longer worked for the hospital had access to confidential patient information. One interesting aspect of this case is that the court found at least one employee guilty of knowingly ignoring the regulations. Under GDPR, it is not only organizations that might face prosecution, but employees with privileges can be personally liable.
2. Insider or an outsider pretending to be an insider?
Equifax is in the news again. But it has also become apparent that one of the reasons this hack was so successful was that the attackers got ahold of stolen credentials which allowed them to move laterally inside the network. In short, lateral movement means that the hacker is able to gain access to more valuable data by using stolen credentials that grant access to high-value targets.
Lateral movement implies that access governance and controls inside the company could have been vastly improved and serves as a reminder that companies without proper access governance and administration (IGA) are just one stolen credential away from being in the news. It also an example of how protecting the outer perimeter of the company is simply not enough: an outsider can pose as an insider, and unfortunately neither your existing security solutions or security experts are none the wiser.
3. Under constant auditing or taking pre-emptive action?
Businesses may also face many years of rigorous audit for not ensuring that only a very select group of people can access personally identifiable data. One example is Uber who was forced to agree to 20 years of audit related, since the company used a software called ‘God View’. If that name does not make you raise your eyebrows, its functionality should: Uber used it to monitor real-time locations of customers and drivers, and at least one of the top executives of the company is under suspicion of beaching the US - and the ride-sharing company’s own – privacy policies. Moreover, this information was widely available for employees to see, excluding the drivers.
Ignoring access controls means that you are ignoring privacy laws. Even if the sensitive data is properly secured from outside access and hackers, this is just a part of the story. Companies are responsible for demonstrating that if they collect sensitive information, they also foster a culture of privacy sensitivity.
Auditors typically require that companies make changes to their processes, which is naturally a good thing, but implementing proper controls after the fact tends to be more difficult than carefully planned preparation with the purpose of mitigating risks.
4. Should access governance be a board level topic before or after the bad press?
One of the most important lessons to learn is that companies should not leave access governance to critical IT assets and proper segregation of duties only at the hands of the IT or even the cyber security teams: they should be a board level topic. The consequences of ignoring these topics always are.
How can we help
We have more than 25 years of experience in the field of cybersecurity, access control and securing data-in-transit. We can help you:
- properly govern access to your critical data
- provide the least level of privilege necessary for the task at hand
- make privilege last only as long as it takes to get the job done
- apply Zero Trust access authentication models for each privileged session
- audit, log and record all sessions for compliance
Joe Scaff, CEO, Chief Sales Officer
P.S. I highly recommend the ISACA guide on Secure Shell governance and the KuppingerCole Executive view on our product, PrivX®.
