Earlier this month, media regulator Ofcom was under fire after a disgruntled ex-employee who had released about six years of data to a new employer. The data was originally collected by Ofcom from various TV broadcasters and was stolen with the intention of giving the former staffer’s new workplace, UKTV, insight and competitive edge over its rivals. Thankfully, UKTV contacted Ofcom to advise it of the situation, enabling the media regulator to react quickly to the breach. It sent letters to all licenced broadcasters, alongside a public statement, confirming that ‘the extent of the disclosure was limited and has been contained, and [that they had] taken urgent steps to inform all parties’[1].
Unfortunately, these types of breaches are becoming more and more frequent, writes Stuart Facey, VP EMEA at Privileged Access Management product company Bomgar. He discusses how the control and management of network access can combat data breaches.
Ofcom was extremely lucky that the company being offered this sensitive data was ethical enough to highlight the breach and not use the data for its own competitive advantage. It’s always hoped this would be the case, but not all companies are as honest. A key learning from this situation is the real need for companies of all sizes, and across public and private sectors, to prioritise the management and control of user access and accounts within their organisations. Unauthorised access or extraction of data or Intellectual Property (IP) is a real concern for anyone tasked with protecting and defending a company’s core assets. However, it is not always front of mind when security policies or solution implementations are being decided by the IT decision makers.
According to a 2015 survey[2], one in five employees said that they would sell their passwords to an outsider, and 44% of these individuals would do so for less than £704. More than a quarter of those surveyed admitted to uploading sensitive information to cloud apps with the intent of sharing data outside the company, and 40% reported that they had access to multiple corporate accounts after leaving their last job.
As a result, it’s become critical for companies to ensure that only approved users – from internal employees to external vendors – can access certain areas of their company network, aligned with the correct levels of attributed trust determined by their role and responsibilities. This ensures employees and third parties have easy access to information that is appropriate for their consumption, whilst giving others access – often on a task by task basis, or for a designated time period – to more business critical data, systems or IP.
By integrating privileged access management (PAM) solutions effectively across the organisation, companies can securely manage and control access to the right data, by the right people, at the right time. This puts the control back into the hands of the CISO, IT or network manager without effecting or limiting employees’ productivity or worker experience.
As well as providing much tighter controls, PAM solutions can also allow managers to monitor and act on sessions in real-time, review tamper-proof audit trails including annotated video recordings and detailed logs of screen sharing, file transfer and shell activity. This insight can then be used to adjust privileged access settings, extending users’ access to include new areas of the network as a project evolves or as their remit changes. The data can also be used as supporting information in the event of anyone trying to breach the agreed access settings, whether that be an internal threat, an approved third party or an unknown and unauthorised attempt to access the network.
Protecting a company’s most critical assets from cyber threats has never been more important. The ability for organisations to flexibly control and secure access rights, and in turn protect their critical IP and data, should be right up there as a key consideration.
[1] http://www.theguardian.com/media/2016/mar/10/ofcom-tackles-mass-data-breach-of-tv-company-information
[2] http://www.zdnet.com/article/passwords-sharing-repeating-or-selling-them-which-are-you-guilty-of/
