Access Control Is A Critical Step for Proper IT Security
We had previously written about minimizing risk when it comes to IT security and your business. That’s the first step to truly securing your organization. The next step is actually protecting those assets you have identified as a part of your risk mitigation strategy. This “one-two” combination makes a lot of sense because you can’t secure what you don’t know you have. More specifically, you want to place a priority in your business on those things that represent the highest IT security and data risk.
Who Has Access to What
The very first thing you want to protect as an organization is access control. You need controls in place that allow you to protect your network and access to your data. In addressing access control you are going to develop the controls needed in order to protect your network and to protect your organization and customer data.
You are answering the question, “Whose passwords can access what data?” Simple. To think about this in a bit more detail, access control includes passwords, multi-factor authentication, individual access to the network, and what rights an individual user has to access financial or other business critical data.
Training and Awareness
So the first step in proper access control is deciding who has access to what. The second step is training and awareness. Your employees need to understand that security and convenience are at odds with each other. They don’t have access to certain data or network assets because their job does not require it. More importantly, your employees need to know that they are responsible for protecting company data. By training your employees, you are educating them about what they need to look for and how they need to protect company data.
Why is training so important? IT security is all about the weakest link when a human being is involved. If an employee password is 1...2...3...4...5...6 (that’s also the password on my luggage) then the odds of that password being used to compromise your company network are rather high. If an email is sent to an employee and says, “Click here for admin access,” do they have enough training and awareness to know that it is wildly inappropriate to click that link?!!?
If you have properly segmented your data through access control mechanisms then the actions of an individual when a mistake is made becomes far less of a threat to the operations of your business. 52% of breaches are caused by humans, not by hardware or software failures.
Data Security
For proper IT security and risk mitigation, data is at the heart of every conversation. The security around your data can lead to a whole host of questions. Consider these for a moment.
Do you have software to help with data security?
If not, what are you using in order to protect company data?
Do you have data loss prevention set up so that you know when that data is accessed and where it's going?
If an employee decides they're going to copy your entire folder structure onto a separate device, do you have any idea that this has happened?
Did someone copy something? How do you know that they did that?
Monitoring and mitigating risk from these scenarios can be accomplished with data governance tools. Most of the time, data is flowing through your organization as it was intended. There is rarely malicious intent on behalf of an employee (although we can monitor for that). Assuming everything is functioning as normal, the need for data encryption policies becomes critical. Email is an area where we tend to focus with our customers. It is generally unencrypted and almost always contains sensitive data.
Process and Procedures
Everything we talked about in this article comes down to a series of simple measures that you can take to help protect company data and assets. From defining a process around access control, to training your employees, to ensuring you have reduced as much risk as possible, the policies and procedures that drive your organization’s IT security should not be complicated. However, they should exist.
XOGENT is a full service IT security firm that can help your organization reduce risk and develop a clear, consistent set of policies and procedures to help guide your employees through questions associated with customer data they need to do their job and the most appropriate ways to handle that data.