Information Security / Why cyber security is no longer restricted to the IT department
Why cyber security is no longer restricted to the IT department
18 April 2019
Adrian Crawley, Northern European Director, SailPoint, highlights the importance of data governance, showcasing the pitfalls of what can happen when organisations fail to protect sensitive information.
From Google to Quora, Amazon to Toyota, the past year has highlighted that no organisation is too big nor too small to suffer a data breach.
In fact, recent research by DLA Piper found that European businesses, both private and public, have reported 59,000 data breach notifications since the General Data Protection Regulation (GDPR) came into play nearly one year ago.
With these breaches continuing to come thick and fast, it’s only natural for consumers to think about their own personal data, and how it is (or isn’t) protected – after all, around five billion records were exposed last year alone.
But rather than focusing on our personal data, how many of us actually consider the masses of other people’s information that we, as employees, handle every single day? Do we know how much of this information is sensitive data? And perhaps more importantly, do we understand what constitutes as sensitive data?
With two in five employees handling sensitive data on a daily basis, and GDPR resulting in a shared responsibility between employers and employees, the onus is now on every team member – from IT administrators to the C-suite – to protect the data they are entrusted with.
Making sense of sensitive data
Personal data is at the heart of GDPR and understanding whether you are processing personal data is critical to adhering to the regulation. Taking this one step further, perhaps even more crucial is knowing what personal data you are handling – and whether or not this is deemed as ‘sensitive’ information.
While anything from someone’s name to their appearance, would fall under the category of personal data – whereby an individual can be identified directly from the information – it’s data such as payment details which would be deemed as sensitive.
With more than a third of employees having access to financial information, including payment details, it’s imperative that both employers and employees adhere to stringent data handling procedures to avoid any risks posed.
Identity governance 101
It might seem obvious, but it is essential that organisations have an overview of how sensitive data is being stored, managed and accessed. To do this, companies must be able to answer the question of ‘who has access to what?’ across their business applications and data. And equally as important, whether each user should or should not have that access.
Identity governance is critical to addressing these questions, because it helps IT teams manage and govern access for their organisation’s digital identities – or users, which today span across employees, contractors, partners and even software bots.
Keeping up with employees and their access is incredibly complex for IT teams, and becomes even more so when you think about the number of organisational changes that happen on a daily basis as users join or leave the organisation or change job responsibilities and roles.
In many cases, permanent employees may still have their former access privileges long after they have left the company, while internal moves (either through promotion, or horizontally within the organisation) can leave workers with inappropriate or unnecessary access to data and systems.
Unfortunately, failure to manage these changes can leave the door open for hackers. For example, if a user leaves the organisation but their access isn’t properly shut down, this now ‘orphaned’ user account is ripe for the taking by hackers and used to steal sensitive data through seemingly legitimate access, therefore not raising the alarm.
By providing automated access to an ever-growing number of technology assets, while also managing potential security and compliance risks, identity governance enables organisations to secure these digital identities – ensuring users, applications and data remain protected.
As a result, identity governance places control firmly in the hands of the company – ensuring that each employee has the correct level of access as roles develop and evolve across the organisation.
Adopting a proactive mindset
Traditionally, the responsibility of cybersecurity and identity governance has often fallen to the IT team. However, with the introduction of GDPR last year, proactively managing access to sensitive data has risen in priority all the way up to the C-suite and even to the board room.
Organisations today simply cannot afford to leave sensitive data out of the equation when it comes to properly managing and governing all of their users and their access to both business applications and the sensitive data within those applications, up in the cloud, and elsewhere.
With the risk of data leaks and breaches only increasing, and the financial ramifications for each organisation continuing to grow (the average breach costing almost £700,000 per company), it’s imperative that organisations maintain control over the data they are entrusted with – or face both the financial and reputational consequences.