Sony Lapse, Other Data Breaches Prompt Companies To Restrict Employee Access

The Sony Pictures data breach, and a spate of high-profile security incidents over the last year, may be getting organizations to reassess employee access rights and limit systems containing sensitive corporate data on a need-to-know basis, according to a new survey.

Over the past year, 67 percent of IT professionals said their organizations have tightened access to company data because of security requirements or concerns, according to a new Ponemon Institute survey of more than 2,200 employees in U.S. and European organizations, including 1,166 people who work in IT and IT security. Seventy-eight percent of those organizations that tightened access indicated that it has not had an impact on productivity.

Employees often have excessive data-access privileges and loose data-sharing policies, because organizations fear tighter restrictions would sacrifice worker productivity, according to the Ponemon study, "Corporate Data: A Protected Asset or a Ticking Time Bomb?’ sponsored by New York-based data protection and classification vendor Varonis. "Compounding the risk, organizations are unable to determine what happened to data when it goes missing, indicating a lack of monitoring and further absence of controls," the report found.

[Related: Sign Of The Times: When Identity Access Management Platforms Aren't Ready For The Cloud]

Sponsored post

"There is a lack of oversight and control over who has access to potentially confidential and sensitive company data and how they share that information," the study found. "An organization that reduces the amount of data employees have access to ... and streamlines their processes for granting access will likely benefit from more productive employees."

Security experts told CRN that security controls designed to monitor employee access and proactively manage user privileges could significantly increase the cost and complexity criminals need to gain access and steal sensitive data. At the very least, it could force a financially motivated attacker to move on to an easier target, said Andrew Sherman, security practice lead at Eden Technologies, a New York-based security consultancy. Sherman said organizations should assess employee access rights and clean up any issues that are discovered.

"It's not going to be a panacea for everything, but it could set the bar higher for the intruders," Sherman said. "The data is a business asset, so business lines are the ones that know who needs access and the greatest stake in making the decision right."

Despite an increase in access restrictions, about 80 percent of IT professionals said their companies don’t enforce a strict least-privilege or "need-to-know" data policy. Thirty-four percent said their organizations don't enforce any least-privilege policy. The verdict is still out on how attackers gained access to Sony's corporate network, but among the leaked files was an Excel spreadsheet with employee passwords in plain text. Breaches at Kmart, Dairy Queen and retail giant Target Corp. resulted in an attacker gaining access to account credentials. Once attackers get inside, they establish control and move laterally to the company's payment systems.

Despite some pushback on limiting employee access, solution providers told CRN that more businesses are considering an assessment. Tighter access rights ranks as high as data protection, network segmentation and monitoring with organizations trying to increase their security postures, said Jim Matteo, CEO of San Diego-based secure networking systems integrator and IT consultancy Bird Rock Systems. Technology is available to help proactively manage employee privileges, but Matteo said organizations also need the people and resources to put behind those systems.

"A few years ago, restricting access was seen as disrupting productivity, but today we're at the point where security is such a priority that the additional controls and privacy are going to be supported by the executive team," Matteo said. "Planning appropriately for these kinds of projects is essential."

The Ponemon study found that there are many firms that haven't assessed access rights in months, or even years, with 71 percent of end users reporting they have too much access to confidential company data. Of those respondents, 38 percent said they have seen "a lot of data." Fifty-eight percent said they have seen some, or a little, confidential data.

A similar Ponemon survey of 700 respondents with in-depth knowledge of how their organizations are managing privileged users found that nearly half didn't have policies for assigning access to privileged users. The study, issued in May, found that business unit managers are gaining influence in granting user access. Businesses may be struggling with user access policies and manual processes still exist, but businesses have been steadily adding automated software to manage privileged user access since 2011.