Data Breaches and Establishing Good Boundaries with your In-Laws

May has arrived - the tulips are in bloom and Verizon’s 2013 Data Breach Investigations Report (DBIR) is out! The DBIR is a staple among security professionals as a recognized report to get a sense of how things are going. So how are things these days? Well, according to the DBIR, 2012 was a year in which “pubs to public agencies, mom-and-pops to multi-nationals, nobody was immune.”

We learned that yet again, 92% of breaches were perpetrated by outsiders but 14% were committed by insiders, which is a considerable increase from the 2011 number. When people I talk with dismiss the internal threat, I remind them that often the outsider leverages an internal user’s credentials to get in. That is why a safe practice (and ultimate goal) of any identity and access management plan should be to give the employees in the organization only the access they need to do their jobs, and nothing more. To achieve this, tasks such as recertification checks as part of your data access governance policy are so important because if you have employees who have access to data that they don’t need, then you need remove that access and the unnecessary risk it demonstrates.

Think of data like valuables in your house. While you may trust all 20 members in your extended family, you wouldn’t necessarily give each of them a house key. Aside from the obvious psychological boundary issues which would accompany that (“Oh hi Uncle Bob, nice of you to just walk on in…again”), you’d be opening up your house to additional unnecessary risk. It’s not that you don’t trust them, it’s that there’s now a bunch of house keys out there that can unlock your front door, and if one of those ever fell into the wrong hands, that’s where the problem lies. So when you look at data, don’t just worry about the external hackers, evaluate your internal users who may have access they don’t need (and maybe shouldn’t have ever been granted in the first place).

Oh and Uncle Bob, you’re welcome anytime, just call ahead please.