Perceptions of data and system security

All in all IP Expo, Manchester was a very interesting event.

The main purpose of attending for me was to get more insight around the perceptions of IT professionals around tracking data, managing permissions and monitoring critical systems. More specifically I wanted to know…

1.)   How were they currently handling the tracking of critical data? i.e. at what point would they know if a file or folder was copied, deleted, moved. How would they know, for example, if a ‘leaver’ within the organisation was to copy their customer database before they left the company.

2.)   How were they monitoring current permissions to such data? i.e. how were they ensuring only those that needed access, had access. How were they preventing permission sprawl.

3.)   How were they tracking system changes? i.e. ensuring those in the IT team were making legitimate and appropriate changes to critical systems. i.e. how would they spot privilege abuse, around their Active Directory, Group Policy, SQL, SharePoint and Exchange Servers.

Here’s what we found. Everyone we spoke admitted they had challenges around these things, yet only 30% of them made claims to having acceptable processes or technology to address the problem. So.. the begging question for the 70% is Why hadn't they addressed it?

And here [paraphrased] is what we heard time and time again as the response.

‘We know it’s a problem. – but when we looked around at a few of the vendors [one vendor came up again and again] it was completely unrealistic in terms of cost. Even evaluating such a solution would have been a huge project .. so we parked it and moved on to other things’

Here’s the scary part.

At least half of those we spoke to had experienced REAL, visible issues with ransomware, ex-employees leaving with huge batches of data, ex IT staff going rogue, employees abusing access to confidential data.

Essentially, the conclusion was Cost + Time vs Risk was too great.

So here’s my take on this – I agree with them. They are completely right. How is it realistic that they set aside a months’ worth of time [at least] of a person to evaluate one of these vendors? How is it realistic to justify often a six figure spend on such a problem, especially if it’s not yet manifested itself as an issue ? The answer is it’s not.

And I guess this really boils down to why WE exist… We just don’t believe it needs to be like this. Our task is to ensure organisations know there’s a better way. To ensure organisations know there’s an easier way irrespective of size, sector or budget.

In conclusion

These problems have to be fixed. Unless more organisations adopt better processes and technology then Insider threats, data leakage, privilege abuse, compliance failure will persist and continue to cause damage to finances and reputation.

___

About Aidan Simister

Aidan Simister is the CEO of Lepide. Lepide specialise in helping mid to large enterprises achieve visibility as to how users are interacting with critical data, how and when access is granted and tracking of actions of privileged IT users across the organisations’ most critical IT systems.  www.lepide.com