Yonatan Striem-Amit, cofounder and CTO at Cybereason, said the FDIC was fortunate that the incident involving the ex-employee who took 44,000 customer records, “was not intentional and was without malice.”
But he noted that since she had sufficient permissions to access the data, “anyone else could have as well if they simply impersonated her.”
It is essential for companies to have control both at the data level and endpoint level and with it an improvement of policies overall.
Yonatan Striem-Amit, cofounder and CTO, Cybereason
And catching an intruder impersonating an actual employee is clearly an IT responsibility. “It is essential for companies to have control both at the data level and endpoint level and with it an improvement of policies overall,” Striem-Amit said.
There is also general agreement that better data governance – knowing what and where it is and properly classifying it – will help organizations keep track of it and protect it. And that is an IT function.
As Simberkoff put it, “do you need to put the same security protocols around protecting pictures from your company picnic as your customer’s critical infrastructure design or build information, credit card information, or your employees’ benefits information?”
But she also said she believes, “HR should play a critical role in ensuring that employees are not intentionally or inadvertently provided with too much access to data that they should not have.
“As a general rule, employees should be given the least amount of access/privilege possible to allow them to do their job,” she said. “Unfortunately, overburdened IT administrators tend to work in the opposite way, giving users excessive access so that they (IT) do not sink under the burden of excessive and sometimes impossible workloads.”
The bottom line, Conrad said, is that each department can help the other – while IAM is nominally a function of IT, HR is more likely to know when an employee’s privileges or access should change. They need to be closely linked, he said, “to ensure privileges and access levels are in sync with the employees position and duties. Many times, once privileges are granted, they never go away. This definitely increases a company’s risk profile.”
Finally, there is broad agreement that employee training should be both a regular event and a cooperative effort. It can’t be, “a once a year training course, but rather it must be pervasive throughout the culture of your company,” Simberkoff said.
Conrad said good training should involve the marketing team as well as IT and HR, since the goal is to “sell” employees on good security practices.
“IT should partner with marketing to learn how to deliver a message that sticks and gets better results,” he said. “Most awareness training is of such low quality that it’s a wonder it works at all.”
Indeed, the best technology in the world can’t trump a careless or clueless employee. “If people aren’t trained, then bad things can happen,” Winkler said.
Sign up for Computerworld eNewsletters.