Sensitive data has long been a problem for large enterprises – but what about small to medium-sized organizations? With the increasing connectedness of (cloud) systems, access by multiple external parties, the proliferation of data and new uses for it, executives are having difficulty understanding where their data is, how it is being used, and what the risks to their business are because of it. Which begs the question – how secure is your data? And who determines how it’s handled within your organization?
This uncertainty creates an additional problem for those tasked with protecting your organization, and with staying compliant to ever-changing regulations. With so many stakeholders involved how do you implement systems/processes that keep sensitive data secure, and hold those with access accountable?
In this post, we explore which roles within a small to medium-sized enterprise have access, govern, and store data. We discuss why their motivations aren’t always aligned to securing that data (despite best intentions). We offer some questions that IT, Ops, or risk-sensitive leaders can ask to improve their understanding of data within their organization. Finally, we examine the implications for risk-sensitive leaders who want to better protect their organization without inhibiting the pursuit of business objectives. Keep in mind, we are not proposing solutions for the issues of data proliferation and spread – we have partners who can help our clients with that. Our goal is to highlight the reasons these problems create security issues – which ActZero Networks’ MDR service can help alleviate – and offering questions to help you understand where to start.
Who are they?
If you aren’t sure who accesses, regulates access to, and determines storage/security practices for your data, you aren’t alone – this can be especially ambiguous in the SME where people tend to ‘wear many hats’. Many roles deal with data, both technical (DBAs, Sysadmins, Analysts) and otherwise (HR, Sales). The issue is that those responsible for regulating access tend to acquire the responsibility as dictated by the necessities of their job, rather than by the needs of the business at the direction of a senior leader. This means somebody can ‘emerge’ as the de facto ‘governance person’. Here are some potential roles / responsibilities to look at - those who:
- Input/access sensitive data as part of their job: customer service, sales, HR, Finance.
- Access/analyze data, for themselves and for other departments: analysts, such as those working in Sales Ops/Forecasting, Marketing, Supply Chain, Finance)
- Have access but not as part of their job: IT, systems owners - people who store, protect, and enable access to data.
- Manage the roles mentioned above.
What Motivates Them?
Different responsibilities and goals mean different motivations for how your employees handle your data. This can mean it isn’t always handled securely. Given their roles, these motivations will seem justifiable – in the absence of directives to mandate secure practices. Common motivations include:
- Ease of Access
For analysts (or any role tasked with generating reports) their crowning achievement is enabling a “self service” model for other users so that their day isn’t determined by the whim of report requests coming in. While this improves their efficiency and output, it can increase the risk of data going places it shouldn’t, if proper controls aren’t in place.
- Restriction of Access
The opposite is also true of some roles, such as systems owners who may feel responsible for the appropriate use of data. While you might think restricting access should improve your security, there needs to be a process and a policy that dictates who gets access, who doesn’t, and how to change this should the business need arise. That doesn’t all happen securely automatically. Without such governance, users that can’t get the access they need can start going through other channels (less secure, less visible channels) to get what they need, like emailing peers with access, or sharing credentials with privileged access.
- Resource Allocation / System Stability
Access to data depends on technology to deliver and store it. The person responsible for this (often in IT) may care more about keeping space available on a given server than about whether the data is stored on the most secure server. Or, placing some data on a non-critical server to avoid the risk of downtime from a ‘bad SQL join’. This can be because they perceive data belonging to given departments as more/less sensitive than others, or particular analysts being more/less capable. Again, without a policy explaining which data is sensitive and why, and in the absence of an audit process, where dated is being stored is not clear to management – which can have implications for both security and regulatory compliance.
- Reduced Complexity
All systems require strong authentication in order to facilitate transactions. However, with requirements for increased password complexity, the user of two-factor or multi-factor authentication, and other means of securely connecting to applications, it is highly cumbersome for employees to remember the various passwords, and this certainly poses a security risk.
Questions You Can Ask
Who can you ask these questions of? You can ask leaders of teams with sensitive data, such as sales, finance, hr, even marketing (whose sensitive data can often live in cloud-based systems that your IT stakeholders won’t have visibility into). Ultimately, the responsibility lies with your CIO, who is likely concerned about this issue, but hasn’t necessarily prioritized it. Consider asking them:
- What sensitive data are we storing?
- Where are we storing it? (In our Data Center? On laptops? In the cloud?)
- Which of it is subject to compliance requirements?
- How long do we store it for, and what happens to it afterward?
- How are we securing it?
- Who decided that?
- Who has access to this data?
- How frequently do we validate users’ need for access to data? (If at all)
Following ‘who’ across the organization may take some time if there is no clearly appointed person – often it’s best to start with your CIO and proceed top-down. That said, depending on your structure, and how much importance has been placed on data, it’s worth asking people leaders of certain teams as well.
Hackers are motivated to acquire data, sell the data, or subtly manipulate the data in your SME. You need to motivate those who deal with data to secure that data. People don’t need to be ‘careless’ for data to be insecure – in the absence of clear direction about who is responsible, accountability flounders and the completion of day to day tasks dictates the actions taken. By understanding who the stakeholders are, where the data resides, and what the implications are for compliance frameworks, you can make security a priority rather than an afterthought.
If you’re concerned about data access, insider threats, and hackers attempting to exfiltrate your data, request a Demo of our Managed Detection and Response service. By examining user behaviour, and looking at outcomes of actions on your systems, we can detect and respond to unauthorized access to your data. We also provide monthly hygiene evaluations so you can ensure that your critical systems (that house your data) are hardened. Finally, we offer consultative advice on ensuring your organization is compliant with various regulations in terms of how your data is accessed and protected, through our Virtual CISO service.