Companies tend to put the majority of their focus on preventing external threats—such as hackers and viruses—despite the fact that internal threats are more common. It’s likely your organization spends considerable resources to protect itself against data breaches—and rightly so. Data breaches can result in compliance violations, large expenses, and damaged reputations.
According to the Ponemon Institute’s 2020 Cost of Insider Threats Report, insider-caused cybersecurity threats are up 47% since 2018 and the average annual cost of internal threats has risen to $11.45 million—up 31% in two years.
Internal breaches sprout from a wide array of motivations: a current employee feels overlooked for an opportunity; a departing employee wants to impress their new employer by copying intellectual property or contact lists; or a contractor is unhappy about being let go.
The added danger of these internal threats is they can easily go undetected. They have all the access, but who’d suspect a current employee? It would likely be an invisible attack. Further, many organizations fail to adequately remove access from departing or terminated employees. Incomplete offboarding remains a major risk throughout many businesses, but former employees are quickly forgotten. Too often, no one is looking for or monitoring their accounts. Plus, these users tend to know their way around the network.
An internal breach in 2017 saw the City of Calgary’s payout fines of 92.9 million Canadian dollars. This scandal started when an email was sent by an employee to a colleague at another municipality. The email shared personal information of more than 3,700 employees. Leaving your network unprotected can leave you vulnerable to a similar threat.
Manual Access Management
When access management is done manually, the granting and revocation of access often has flaws. Manual efforts regularly suffer from a lack of consistent data entry and logging—causing inconsistencies and loss of records—or from lax policies. Employees are frequently given too much access and, with no review system in place, this leads to severe oversights both during and after employment.
Each employee or contractor’s manager is responsible for making the IT team aware of the level of access needed (i.e. read, write, edit, admin), so the IT staff can issue the relevant permissions for each organizational system, app, and file share. However, IT staff do not have the day-to-day business and operational experience to determine which user roles should access what.
Making requests and waiting for them to be fulfilled can often be time-consuming. As a result of this, managers frequently request excess access to avoid having to request additional rights in the future. This can lead to employees acquiring a level of access that they shouldn’t have. This ‘extra access’, also known as permission bloat, can lead to a large security risk to your organization. Even if the employee has no malicious intent, there is always the chance that their credentials are stolen, and if that happens, a large amount of your organization’s resources become put at risk.
In addition, managers are responsible for notifying the IT department when an employee is terminated or departing. This notice should begin the offboarding process so the given user’s access can be revoked. If managers forget or take longer than is ideal, employees may retain access to sensitive information/resources after their term of employment has ended. Even if the offboarding process is executed, IT has to check every location and resource in your environment to which the given user retained access. Any missed spots risk breaches or compliance violations and manual management efforts simply aren’t thorough enough.
Vast and overlooked access rights lack transparency and leave a great deal of room for human error or exploitation by malicious actors. They are unequivocally, without a doubt, a massive cause of internal breaches, and an issue your organization needs to address.
So, what’s the solution?
With one of the biggest internal threats to data security right under the noses of organizations, how do you make access easier while retaining security against the threat of data breaches?
The level of security employed would typically depend on the sensitivity of the data being protected and the compliance pressures stemming from your organization’s particular industry. That said, there are a few universal steps that all organizations can take to not only mitigate breaches, but also optimize their processes. With automation, the entire provisioning and access management processes are made more centralized, efficient, cost-effective, and transparent.
How To Protect Your Organization From Internal Threats
1. User provisioning
Let’s look at access in a chronological sense, starting with onboarding. Unlike manual processes, identity and access management (IAM) solutions connects disparate management systems throughout the network to automate processes.
For example, the HRMS tracks users’ personal details—e.g., their names and addresses, employment start and end dates, departments, positions—and then the IAM solution automatically synchronizes users’ account information between the HRMS and the network.
Changes made in the HRMS are detected, then automatically updated or implemented across the network. The management dashboard within an IAM solution allows IT and managerial staff to oversee access beyond the automated processes.
2. Access governance
An automated access governance solution integrates with the IAM tool to determine, on a per-user basis, what access rights a user should have. Authorization matrices in the solution use an employee or contractor’s job role to determine access rights for various company resources. These rights include whether the employee or contractor can perform certain transactions, access a particular system, or access specific physical locations.
To enforce this authorization matrix, access rights are recorded in the solution and then issued, changed, and withdrawn for each user accordingly. This type of role-based access control allows for the ability to oversee and track individuals who have access to what, and these changes can be monitored. Automated solutions also allow managers to generate overviews of and fully report on each employee or contractor’s activity. The IAM technology logs and tracks the individuals performing activities and when these occured.
Solutions that automatically revise access rights according to user changes help prevent permission bloat by ensuring every employee is held to the Principle of Least Privilege (PoLP). Adhering to PoLP ensures that your users retain access to exactly the resources they need—no more, no less. This prevents the security and compliance risks that occur over time due to unreviewed access rights.
3. Workflow management and self-service
While automated provisioning helps keep onboarding efforts secure, some users require additional access rights beyond what is configured for their base job role. Whether additional assignments, temporary projects, or other responsibilities, not every employee will perfectly fit your role model. To account for unique roles and the many other unplanned for scenarios that occur within organizations, access must be maintained appropriately throughout the employee/contractor lifecycle.
Workflow management and self-service solutions allow team members and leaders to request, monitor and approve resources without any IT intervention. For example, an employee that needs access to a resource to complete a task will request access to an that resource (whether it is an application or a file share). The approval process for granting that access should be part of a structured workflow within the overall IAM solution.
Then, the team leader authorizes each permission or request and how access is granted within the network. The employee receives access to the required resource and moves forward with the tasks at hand. Note that with the right solution, all these processes are executed with zero IT involvement.
A strong self-service solution will allow users to directly request access from their managers or the appointed and knowledgeable decision-maker. As already mentioned, IT staff do not typically have the knowledge of day-to-day business operations and what access may or may not be problematic. Bypassing IT allows the correct people to approve or deny the request, with the solution executing all changes automatically. Moments after requesting a resource, a manger can approve it; moments after approval, the user has their resource.
Not only do IAM solutions make it easy to grant and revoke user access rights, but they can also grant or revoke physical access to work areas, and allow the user to submit helpdesk tickets.
4. User de-provisioning
The final stage of the employee/contractor lifecycle requires deprovisioning whether they are departing to a new organization, their contract simply expired, they were terminated, or other reason. De-provisioning should be your organization’s number one priority since orphaned accounts (accounts without an active user) often pose as major security risks, if not taken care of properly.
IAM solutions can detect a change in an employee or contractor’s employment status in the HRMS system and instantly disable the network account in all centrally located systems and applications. If an employee or contractor terminates their employment early for some reason, make sure your organization’s policies include alerting the IT team or the systems administrator, so someone can revoke all access within the IAM system. The transparency provided by an automated IAM system reduces access pollution, so you can clearly see when all access is removed.
Bottom Line – Internalize Security
In today’s competitive business landscape, a breach scandal can sink an organization. It’s important to protect against both external threats and the more-common internal threats.
An IAM system replaces spreadsheets and other manual entry templates. It ensures that all users maintain the correct authorizations appropriate to their individual roles, as well as relieves the IT team from mundane and repetitive provisioning tasks. With all that time reclaimed, IT can focus on other, more impactful projects instead of menial data entry.
IAM solutions streamline access management, increase efficiency, and provide a transparent access trail for easy auditing that relieves worries of compliance and auditing on polluted file systems. The sophisticated access controls and automated processes help minimize the typical weak points exploited by internal security threats.
About the author: Tom Mowatt is Managing Director with Tools4ever U.S. A multi-national company with U.S. offices in New York and Washington state, Tools4ever is one of the largest vendors in identity governance and administration (also known as identity and access management), with more than 10 million managed user accounts worldwide.