Asian firms more aware of IT snoops
Unauthorized snooping in the office may not necessarily be on the rise in Asia, but companies are becoming more attuned to the problem and looking to address associated risks, according to a security practitioner.
P.F. Vilquin, security director for Asia-Pacific and Japan at CA Technologies, told ZDNet Asia in an e-mail interview that employee abuse of system administrative privileges to access data in the corporate network has "always" been an issue. The consequences, he added, are typically more severe when the abuse is carried out by IT staff.
"The IT department member may have [greater access] to data across multiple systems due to the IT privileges associated with his role and responsibilities than non-IT staff," Vilquin explained. "Therefore, the damages inflicted by an IT department member can be much more significant."
Such behavior, he noted, does not appear to be getting more common but companies are now more sensitive to the problem and do understand the different levels of access to data and risks associated with "super users".
His assessment echoes the findings of a recent survey of 400 senior IT professionals in the United Kingdom and United States released earlier this month by Cyber-Ark Software. The study revealed 41 percent of respondents admitted they or their colleagues abused administrative passwords to snoop on information such as customer data and human resource records.
In addition, over two-third of respondents said they had previously accessed data that was not relevant to their role. Some 54 percent also pointed to the IT department as the most likely culprit of snooping activities.
Tech, employee education key to mitigating risk
According to security advisors, companies can take steps to minimize the risk of unauthorized access to confidential information.
Vilquin pointed out that in order to devise a security strategy to address the issue, organizations must first know where their sensitive data sits, who has access to it and the means of access. They can then source suitable technology to help enforce processes and protect corporate data from careless or malicious staff or external parties.
For instance, "root" or "administrator" for operating systems typically provides access to virtually everything in a system. Companies may consider additional tools to ensure segregation of duties "even at the privileged user level", he said.
Shared accounts, he added, must be eradicated or highly controlled using password management software to ensure only one user utilizes the account at any time as this enforces accountability.
Tools to prevent data loss or misuse also need to be in place to control the access, usage and flow of information.
Vilquin explained: "Relationships between people and information change with their roles. For instance, it may be legitimate for the CFO to access financial reports and e-mail them, but while the system administrator could access them because of his role, he probably [should not be] authorized to e-mail them or make copies of them."
At the end of the day, he noted, an organization's goal should be to "make it harder" for people with ill-intent to achieve their objectives and control employee actions to prevent mistakes. Any systems implemented ought to help automate the enforcement of controls in such a way that disruption is minimum to people performing their jobs legitimately, he added.
Gerry Chng, Ernst & Young's partner for IT risk and assurance, pointed out that organizations face a "daunting task" in data protection given the sheer volume of information as well as the rate at which new data is created.
As such, Chng said they ought to prioritize their efforts and protect crucial data, which they can identify using a business impact analysis.
He added that companies should also review access rights granted to individuals as employees are commonly given more than necessary to get the job done.
"The processes should…be evaluated to assess whether it is necessary for individuals to have access to the detailed records, when an aggregate summary might be all that is required for the job function," he said.
Employee education of preventive measures and breach consequences is another area of focus for organizations, said Chng. "Creating that awareness empowers employees to be responsible for the privileges granted to them.
"The technical and procedural control mechanisms implemented should be communicated in these awareness campaigns, to act as a reminder and deterrence that unauthorized activities are monitored and can result in disciplinary actions," he explained.
At Microsoft, policies and software are implemented to prevent unauthorized access of data by employees.
In an e-mail, Stephen Forshaw, Microsoft's corporate communications director for the Asia-Pacific region, said the company has information security policies governing the "confidentiality and appropriate use of data" about employees, customers and partners.
"Disciplinary action" would be taken against employees who breach the policies, Forshaw noted, adding that the inappropriate use of data is a criminal offense in some countries.
Employees who handle sensitive information undergo online training on a regular basis to keep them abreast of "legal, and our own compliance, rules and obligations", he added.
In addition, Microsoft uses its own products such as Sharepoint 2010 and Forefront Identity Manager to ensure information is restricted to employees with a legitimate need to access the data. "These products ensure data stored centrally, on servers or in the cloud, can only be accessed by staff whose identity is confirmed using the required authentication.
"So confidential or private data is generally not available to people who don't have a strict business need to have access to it," said Forshaw.