Faced with a growing array of malicious external attacks, businesses often overlook internal security threats — which can be even more dangerous. Business owners and managers don’t like to think that their employees might go rogue, but employees armed with access to mission-critical systems and data can do a lot of damage. In fact, trusted insiders generally steal larger quantities and more valuable forms of information, according to the 2011 Verizon Data Breach Report.
System administrators with complete access to servers and data probably pose the greatest internal threat if they turn against the company. However, everyone from admins up to executives can threaten security and data if they maintain excessive access rights after changing positions or taking on different roles.
Shared access is another problem. System administrators often resort to using generic passwords for servers, and share a single password among all IT staff administering those systems. This increases the risk of an external attack and enables too many users to gain access to privileged resources. All too often, server passwords aren’t changed when an employee leaves the company, leaving critical resources exposed.
These threats can be diminished through five non-technical steps:
- Adopt a “least privilege” security posture that gives each employee the least privilege necessary to accomplish required tasks. Assign access rights to users based upon well-defined roles, and revoke inappropriate rights whenever an employee changes roles.
- Limit access to administrator and/or root accounts. Make sure that the passwords to these accounts are not shared and are changed frequently. Implement controls to limit and track their use.
- Embrace an access review policy. Dynamically link access privileges to human resources and staffing databases to prevent access creep. Regular, automated access alerts should notify two or more administrators of access changes, employee changes or other critical issues. Notifying more than one administrator helps overcome negligence.
- Lock the front door by fostering education, encouraging diligence and developing processes such as regularly changed passwords. Employee education can cover the logistics and basics of security, and also address topics such as the psychology and known techniques of social engineering hacks.
- Achieve compliance by implementing access control and separation of duties practices and technologies. Develop, implement and enforce secure policies related to all system access. Provide a complete audit trail of policy and activities and eliminate non-compliant login practices.
Negligence typically is an offense committed by management when “they should have known better.” Most successful data security breaches have some element of managerial negligence associated with them. By taking these steps, business owners and managers can lessen the risk of an internal security breach.