So often we hear about the things employees do to put enterprise security at risk. In a survey of IT managers, Courion Corporation asked what some of those risks were. The answers weren't too surprising, as the top risks included the potential losses of sensitive data, corporate reputation, intellectual property and revenue.
But the Courion survey showed something a little different than the typical risk-related survey. It showed a real disconnect between risk concerns and the actual solutions. According to the survey, very few IT managers (12 percent) bother to do regular reviews to make sure user access isn't a risk factor. As Courion pointed out in a release:
They're not focused on identifying new or growing areas of access risk from internal users abusing privileges. With internal and external threats to data multiplying quickly, such infrequent reviews aren't keeping pace with the growth of user access risk levels.
Here's a statistic from the survey that jumped out at me: Fewer than 10 percent feared losing their jobs because of a serious data breach caused by inappropriate user access.
Not that I advocate anyone losing his or her job, but my takeaway from this survey is no one seems to want to step up and take responsibility for making sure data is secure, and, in this case, making sure that the proper steps for granting user access are followed.
Security risks from improper user access are a serious problem. A Government Accountability Office report from late last year showed that federal security breaches rose 650 percent over a five-year period. While there were a number of reasons, one that was pointed out was inappropriate user access. For example, an article at NextGen pointed out:
The assessment cited a recent audit that found IRS has neglected to block employees from using databases they aren't required to access for their jobs.
"As a result, financial and taxpayer information remain unnecessarily vulnerable to insider threats and at increased risk of unauthorized disclosure, modification, or destruction," the report said.
The Courion report rightly shows that there is a problem and that there are IT managers who not only see the problem, but want to fix it. The next step is making that happen.