Data breaches are reported all the time in the news – and often when a breach occurs, fingers are pointed at everyone from hackers, to CSOs, IT and even end users. So in looking at a typical breach, Jackson Shaw, senior director of product management at Quest Software, wanted to break down why the fingers get pointed at these particular people (aside from the hacker, as that’s generally an obvious target) and why they should each care about data governance. For simplicity, he’s going to break this down into three groups: The end user, the IT department, and the line of business manager, and he’ll use the case of financial data.
Click through for reasons why groups other than hackers are blamed for data breaches and steps they can take to mitigate the risks, as identified by Jackson Shaw, senior director of product management at Quest Software.
Looking at the end user, the reason they are sometimes called out as a contributing factor or the reason for a breach is not necessarily anything they have done maliciously (although there are occasions when that happens). Rather, it’s often a result of lax security on what they have access to; think of them as the entry point to whatever they have access to.
If they are a typical end user, they likely have approximately six different user IDs for the six different applications they need to access to for their job – which means they probably have them all written down and taped to the side of their monitor along with the passwords (which hopefully aren’t all the same). One of those may be the financial application which, for the sake of our example, they don’t even use anymore as their responsibilities changed. In a case like that, anyone who can see those credentials can potentially use them to gain access.
What can end users do to help with data access governance? While there are tools out there, such as single-sign-on, which could be implemented at a company level, when it comes to the end user, they can do a couple of things on their own.
First off, be aware of where they store their passwords. Ideally, we would just memorize them – but we don’t all have a photographic memory, so just be smart about it. Secondly, if you as an end user have access to an application that you no longer need and never use, ask IT to kill your access, so you lower the company risks. And hey, one less password to remember, right?
In looking at the line of business manager, the reason the fingers are sometimes pointed in their direction is because they are ultimately responsible for the data in their area from a compliance standpoint. Think of the CFO, for example: They are responsible for the financial data, the accuracy of the data and reporting it to the board of directors, and likely the SEC, if they are a publicly traded company, and so on. Ultimately, they should be the ones who are consulted on who in the company can access the data in question. Do they know that a bunch of end users have access to the data they are responsible for? Do all of those people use that data or even need that access?
So what can the line of business managers do to help control data access governance? Start asking questions! Ask for a list of everyone who currently has access to data you are responsible for, and ask to be notified for approval before anyone else is given access. Chances are that that may be a difficult task for the IT department unless they have tools in place to provide that data, but the alternative can result in a breach, so it’s worth asking for the data.
Finally, the IT department gets blamed for many things that really aren’t their fault – oftentimes it’s a result of them doing the best they can with the tools they have in place. If there’s no access request system in place for people to request access, then the majority of the time it’s up to IT to grant access to the end users. So in keeping with our example, a few months back, that end user called a buddy in IT with an urgent request for access to an application, “because they need to complete a report ASAP for the CEO and they can’t access the data they need.” The IT person now has the choice of either granting that access and getting the person off their back…or possibly being the reason given to the CEO as to why the report wasn’t completed.
The IT department usually has a number of ideas about what they can do to help with data access governance. The issue is usually that they require budget to purchase third-party tools, such as for the password issue that end users face, mentioned earlier. If they meet with the line of business managers to start answering the questions being asked, perhaps together they can build a case that shows why it’s important to address these issues and avoid the alternatives, which will ultimately be much more costly (think breach, media coverage, stock price etc.).