Hardly a week goes by that there’s not some or other high profile hacking attack or data breach in the news. These headline making attacks get the lion’s share of the attention because of their scope and scale, seeing the hackers making off with sensitive personal and financial information of hundreds of thousands, and often literally millions of users in a single swipe. What doesn’t make the news, but is every bit as bad a problem, are the smaller scale attacks that come from the inside. Employees who inappropriately access protected customer information in smaller batches in ongoing attacks that can go completely undetected for months, or even years.
The problem here stems mainly from improper levels of access control, and lax, or nonexistent enforcement policies where data access is concerned. The good news is that there are a number of things you can do about this problem, starting today.
First and foremost, you’ll need to conduct an end-to-end review of your current data access policies and procedures. For example, many doctor’s offices allow all staff to access all patient data, even though in practice, most of the staff only needs access to a tiny fraction of the total patient data available in order to perform their job function. Here, it comes down to putting new gateways in place, and instead of treating a patient record as a single entity, to break it into discrete chunks, and assign access to each piece individually.
Hand in hand with that, of course, must be an access log which is audited on a regular basis to check for improper access, and policies to outline both the new procedures and the consequences for breaking them. Many companies are also finding success with “whistleblower policies,” that protect employees who spot and report suspicious data access.
The bottom line is that these issues are real, and potentially just as threatening to the future of your company as the successful breaches that make the headlines. The good news is that you’ve got a much better chance at preventing them, provided you’re willing to invest in the technology and infrastructure to make it happen.