By Stephen Bradford, SVP EMEA, SailPoint
Yes, the date has come around again: the 28th January marks Data Privacy Day. The day provides a chance for us all to consider what we can do in our professional roles to ensure we are respecting privacy, safeguarding data and enabling trust.
Here are three top data privacy opportunities for businesses that my SailPoint colleagues and I have seen in the wider industry over the past year.
Number one: Sharing passwords and devices at work and at home
Many of us have numerous logins to access work devices, platforms, shared files, etc., but we have found that as many as 24% of Brits have shared work passwords with a partner or family member. This increases the risk of passwords falling into the wrong hands, opening up the doors to sensitive business information. Once a hacker figures out at least one password, they may have the master key that enables entry into the victim’s personal life as well as their employer’s.
Through 2020, we saw a race for businesses to get their employees online, adopting new tools and new ways of working. But the “break glass” approach often left cybersecurity concerns by the wayside. This has meant IT teams lacking full visibility over who has access to what, compromising their ability to help employees minimise their risk of being hacked through bad habits like password sharing.
Providing employees with simple tools like security training, password reset reminders, and an automated way to reset their credentials without bothering IT, can be highly cost-effective ways of eradicating these temptingly easy behaviours.
Number two: Ignoring the widening compliance gap
The Brexit deal is done, but many businesses remain unsure about how the new UK-EU relationship will affect their processes and compliance requirements.
Brexit has also prompted some multinational companies to rethink their global workforce and set up teams which work across geographical and compliance boundaries. With these movements comes an inherent risk to security through access which needs to be added, removed or reconfigured as staff take on new roles from new locations. Without a strong security strategy and the right tools in place to control how access is provisioned within an organisation, a policy of “more is more” can take hold and the exponential growth of access points quickly overwhelm a security team.
The answer to preventing both of these compliance gaps from widening is increasing visibility of all access in an organisation. This means using automation where possible to take over some of routine tasks and access monitoring. Those who maximise visibility and put in sensible processes to prevent compliance gaps now will set themselves up well to deal with new rules and compliance processes as they come in.
Number three: Neglecting identity as a key attack vector
For many types of cyberattack, from phishing to deep fakes, identity is the ‘way in’. Over the past few years, many organisations have moved away from the legacy firewall approach and towards a zero-trust approach, which applies to all users both inside and outside an organisation. Zero trust has been successful in making businesses more wary of handing out access to business applications and files. This has reduced the risk of accidentally handing over access to a compromised account or hacker in disguise.
The next step is to understand how identity can play a part in defending against an insider threat – whether malicious or accidental. Within an organisation there are often outliers, users whose quantity, quality or variety of access is higher than the average employee’s. This can sometimes be the result of a particular role liaised between many departments, indicating a group of users who are at higher risk of being targeted by cybercriminals and could benefit from a closer level of security monitoring and support. On the other hand, it may also indicate where an employee has gathered more access than is necessary while moving from one role to another. Businesses can prevent these kinds of accounts from growing through a thorough and regular review of access within their organisation.