It started on a Monday with a single exclusive story published on the Reuters website, where user information for over 200 million stolen email accounts encompassing mail.ru, Google, Yahoo and Microsoft landed in the hands of hackers. (http://www.reuters.com/article/us-cyber-passwords-idUSKCN0XV1I6)
Fast forward to Friday, and the Internet was dominated with news stories on large institutions and how their data and information either fell into the wrong hands or was accessed by the wrong people. Among some of the more prevalent stories:
- A criminal investigation is underway at the FDIC on multiple internal data breaches. Specifically, the regulator reported to congress on Monday that five ‘major’ data breaches occurred, involving former employees downloading information and taking it with them. (http://thehill.com/policy/cybersecurity/279752-criminal-investigation-open-in-fdic-data-breach)
- Allen Memorial Hospital, located in Waterloo IA, reported that an employee accessed confidential information for over 1,600 patients over the course of 7 years, including social security records, insurance information and additional information on treatments received.
(http://siliconangle.com/blog/2016/05/12/hospital-suffers-data-breach-as-employee-steals-over-the-course-of-seven-years/) - Fast Food Chain Wendy’s, based in Dublin, OH reported that 5% of their restaurants were affected by a data breach. The details, which emerged earlier this year, centers on malware installed through compromised ‘third-party vendor credentials,’ which gave access to data from one particular point of sale.
(http://www.foxnews.com/tech/2016/05/11/wendys-data-breach-hit-5-percent-our-restaurants.html)
They all started with an internal factor – access control.
The question is, how do you close the gaps?
The answer is to put the right access management program with the right strategic foundation and tactical elements in place.
This includes, but is not limited to:
– Establishing a methodology to reduce open and excessive access
– Identifying appropriate guidelines for access authorization
– Developing automated and ongoing exception based reports
– Implementing data classification
Knowing who has access, who is utilizing access, what they are accessing and being able to audit that information will make your environment much more secure.