2-sec in The Telegraph – our cyber security director talking data access and data breaches
Do staff have too much data access and what should a company do if a breach has been detected?
How securely are today’s businesses treating all their data – both internally and externally?
Luke Vile, Cybersecurity Operations Director at 2-sec, a London-based cybersecurity consultancy warns that “in pretty much every business, about 70pc of employees have access to data and other things they shouldn’t.” And you don’t have to be Elon Musk to work out that percentage highlights an alarmingly high level of vulnerability against data breaches.
With cybercrime on the rise and organisations of all sizes being targeted, whose responsibility is it to fortify defences and keep a closer eye on which employees are privy to the most essential digital assets?
“Access to data needs to be constantly monitored. If ignored the results could be disastrous.”
“For large businesses this issue should sit with the human resources team,” says Mr Vile. “They need to have a good idea of everyone’s exact role. For a smaller company, of say 50 employees, then it is usually the chief executive who must work with their IT company to determine who has access to what. This is not a once-a-year exercise, though; it needs to be constantly monitored. If ignored, the results could be disastrous.”
Mr Vile points to the case of Kweku Adoboli, the “UBS rogue trader” who in 2011 engaged in unauthorised trading that cost the bank £1.3bn. “The reason he was able to carry out those activities was because he had moved from one part of the bank which authorises transactions to another part that requests them,” he says. “He had retained both sets of permissions.
“That’s a one-off, large-scale example, but it illustrates the point that, on a day-to-day basis, as your company grows, you need to know who has access to which parts of your database and work out whether it is appropriate.”
Facing the future
With the General Data Protection Regulation (GDPR) coming into force next May, it is essential to prioritise plugging any gaps, as any breach will be heavily penalised. All businesses should be thoroughly auditing and testing their systems now – because any mishaps, especially for small businesses, could be costly.
What should one do if a breach has been detected? “First, treat it as a crime scene,” advises Mr Vile. “It is vital to recognise that the situation is going to escalate very quickly if you don’t investigate it immediately. You need to make decisions about whether to ring the police or insurers, and work out a media message, so your employees and customers are notified.
“Speed of action is so important, and it will be more so next year. Under GDPR, you will have only 72 hours before you must tell the Information Commissioner’s Office (ICO). The ICO is going to come down like a ton of bricks on those organisations that have not taken the basic steps I mentioned, and insurers are unlikely to pay out if that is the case.”
In a closing plea to board executives, Mr Vile adds: “These days a data breach is not simply about poor IT management. Ultimately, it is something a board member has accountability for, so a head-in-the-sand approach will have dire consequences.”
The full article can be read at http://www.telegraph.co.uk/business/open-economy/employee-access-to-data/