IT security faces a variety of insider threats, including malicious users or IT staff who intentionally steal sensitive data, as well as those who accidentally expose data or log-in credentials to criminals.
One reason the risk of insider threats is so high in many companies: Employees have access to too much information.
That’s the message in a recent study, “The Insecurity of Privileged Users,” conducted by the Ponemon Institute. Users and IT employees often have access to sensitive data they don’t need for their jobs, and can easily abuse those access privileges.
Among the 5,500 IT professionals surveyed:
- 64% believe privileged users feel empowered to access all the data they can view, even if they don’t need to
- 61% believe users with access view confidential data simply out of curiosity
- 52% say their organizations assign access rights that go beyond what’s necessary for employees’ jobs, and
- 23% of the IT pros surveyed said their own access rights aren’t necessary to do their jobs.
Even when access privileges are needed for a job, many companies are less than careful about who they give those rights to, with 31% of respondents saying employees with high levels of access don’t receive background checks. In addition, 33% said their organizations have employees who work from home, away from supervision, with administrative or root level access rights.
In another survey on insider threats conducted by security vendor Venafi, 65% of IT pros said their department has the easiest access to the company’s most secure information — just 30% said the CEO has the easiest access to that data. An earlier survey showed nearly half of IT employees would be able to sabotage their employers if they were so inclined.
Giving users and IT staff access to more data than they need can create several problems. The individual may be an insider threat and use that access to steal data, or unknowingly share passwords with a co-worker who poses an insider threat. Providing more privileged access increases the number of people who could become victims of social engineering attacks and turn passwords over to criminals, or otherwise expose data through negligence.
In the Ponemon study, 41% of respondents admitted that the setting of user privileges in their organization is an inconsistent, ad hoc process. Just 39% said the process for assigning privileges was determined by well-defined policies controlled by the IT department.
Creating a formal process that involves both business managers and IT can help make sure access is given only as needed and the risk of insider threats is limited.
Some other steps IT can take to avoid leaving too much sensitive data open to insider threats:
- Establish a procedure for communicating personnel changes – IT must be informed of changes to staff so access privileges can be removed or added accordingly. This includes not only when employees leave the company, but also when they change roles and no longer need access to the same data.
- Regularly revisit access privileges – Even when employees stay in the same job, sometimes their duties evolve and they no longer need access to certain data. That’s why all accounts should be reviewed periodically.
- Consider privilege management software – Many companies are open to insider threats because they’re unable to keep track of which employees have access to what data. If that’s the case, there are administrative tools available to help manage and monitor access accounts.