Companies still lack data access management

Organizations are now more savvy regarding the safeguarding of corporate data, but they are not tailoring access policies to limit employees' access according to their job scopes and position.
Written by Ellyne Phneah, Contributor

Companies still have yet to relook their data access management policies and align it with the organizational structure, leaving them vulnerable to having sensitive corporate data leaked or stolen by employees.

Speaking to ZDNet Asia in an interview Friday, Stree Naidu, vice president of Imperva Asia-Pacific and Japan, said many organizations do not understand how to create rules and processes around who should access which data sets.

While they now know how to segment and safeguard important and sensitive data such as customer lists and product development from less critical information, not much is being done to develop processes around employee access and extracting and replicating data, Naidu elaborated.

The challenge is amplified in large organizations, since many employees move from department to departments during promotions or change in job scopes. However, with each move, the IT departments do not limit the workers' access to certain data.

For instance, someone in the human resource department might have access to all the employees' information but when moved to accounting or sales departments, his access may not have been curtailed, the executive said.

"Possibilities are unlimited"
Such security lapses happen only because companies assume their staff will not exploit the loopholes for their personal benefits, Naidu pointed out. They do not realize that "possibilities are unlimited" when an employee has access to sensitive data, he said.

There would employees, for instance, who download data from one company before quitting and joining a rival organization and offering corporate secrets from the former to advance in their careers, he noted. There would also be other who pilfer company data for financial gains, he added.

Naidu's views echoed Guido Crucq, security solutions general manager at Dimension Data's solutions development group, who told ZDNet Asia insider threats posed by employees have evolved.

Rogue employees may work with external cybercriminals to siphon corporate data, and the motivations for the theft now range from financial gains to ownership of intellectual property, Crucq said.

Citing a whitepaper issued by Imperva in October, Naidu also pointed to "startling attitudes" held by employees toward company data. Some 62 percent of respondents had taken company data with them after leaving their jobs, while 56 percent admitted to internal hacking and 70 percent accessed information they should not have, he noted.

Not all data leakages are intentional though, and the executive said there are employees who inadvertently post information online that should not be published on public platforms, he added.

Align access to hierarchy
To better address such vulnerabilities, the Imperva executive said companies will need to devise a hierarchy system for employees to determine who can access what data.

"Companies have to classify and rank data according to their importance and map their organizational structure on data access," he explained. A senior director of a company, for example, can have access to all data, but not a junior employee.

As for inter-departmental transfers, the organization must remember to adjust the employee's access privilege in such cases, he added.

At the same time, companies need to educate their employees on the importance of corporate data and how to separate the important ones from the rest, and who to check with before deciding to post something on social media, Naidu said.

Editorial standards