Nowadays, employees expect immediate access to data and applications, as well as more collaborative business tools that can enable flexible working. These trends will become much more widespread in the next couple of years when the next generation of digitally native, information hungry workers enter the workforce.
With organisations opening their networks to an increasing number of people and devices, the universe of user identities and access points is increasing exponentially. With data spread across multiple environments and the ‘always on’ work ethic demanding constant multichannel access to information, many businesses are struggling to manage access to data and ensure security.
So how are IT managers coping with these challenges?
>See also: Leading digital transformation: The CEO is vital
Recent research suggests that CIOs and IT managers may be too confident in their capabilities to protect their organisations from a security breach. The data revealed that 63% of IT security managers believe it is ‘easy’ to govern staff access rights, despite one in four of the respondents citing staff failure to follow access policies as the greatest threat to data security.
The data suggests that this confidence masks fears over job losses (42%), severe reprimands (41%) and demotion (34%), in the event of a security breach. This is not surprising given that almost half of the surveyed organisations have suffered a data breach.
What’s even more worrying is that 42% of those surveyed admitted that they are unsure of their ability to monitor and prevent breaches caused by accidental or deliberate staff actions.
As CISOs and IT managers are under immense pressure to prevent security breaches, understanding access risk is becoming increasingly important for protecting an organisation’s digital assets. But with the data generated from user identities growing exponentially, maintaining a clear view of all user relationships within the organisation is becoming a significant challenge.
This huge volume of 'Big Identity Data' typically requires a lengthy review of multiple systems and terabytes of data, which generally doesn’t happen on a regular basis. Moreover, this data is constantly changing as organisations are bringing on new users or terminating others (joiners, movers, leavers), activating new devices, launching new applications, granting access rights, and changing user roles.
Additional challenges for CISOs and IT managers arise from the poor sharing of data between different departments within the organisation. For instance, 43% of the CISOs and IT managers feel they could have better relations with human resources in managing staff access rights and 59% don’t feel confident or are unsure if they get enough help to make dealing with insider threats easier.
CISOs are also faced with the issue of changing employees’ attitudes to IT security. Studies like this confirm that employees’ behaviour in relation to data protection and privacy suggests a lack of awareness of basic data protection policies and a lax attitude towards sharing sensitive information. There’s also evidence of more worrying behaviours such as snooping on sensitive personal information and sharing work login details with colleagues.
In the study, this trend seems particularly strong amongst the younger generation millennials, aged 18-24, who seem to be twice as likely to have poorer data privacy habits compared to their older counterparts. For example, 30% of the 18-24 year old respondents said they would snoop on sensitive customer data at work, compared to only 12% of the 45 to 54-year-old employees.
And, while too many data breaches hinge on how access details are easily stolen or misused, 39% of UK employees flout best practices on mitigating access risk and regularly share work login details with colleagues.
So, how can CISOs and IT managers minimise access risk, whilst making sure everyone can freely use the data and resources they need to do their job well?
The silver lining seems to be in powerful analytics and turning the Big Identity Data into part of the solution. In recent years, identity and access management (IAM) solutions have made great advances in helping companies to increase the efficiency of user account provisioning and risk analysis.
Data analytics tools that can monitor user access relationships and analyse access risk factors in real time will be essential to helping organisations tackle the security challenges of today’s businesses.
By monitoring how users are accessing, sharing and using sensitive data in real time, IT managers will be able to easily spot abnormal activities and address security concerns before they have turned into a major problem for the organisation.
Moreover, this approach enables better provisioning of access credentials by aggregating billions of data points and looking at patterns revealing unusual activity, uncovering abandoned and orphan accounts, accounts with excess access, and nested entitlements that may point to segregation of duty issues.
>See also: Inside Macmillan’s digital transformation
Access intelligence, coupled with automating internal security rules and requirements, will help ensure data privacy and security policies are enforced across the organisation.
Another great advantage of using real-time access risk data analytics is that it enables organisations to get a clear view into access risk and identify where the greatest security vulnerabilities lie. Using intelligent IAM tools to display visually intuitive heat maps of potential threats is an effective way to identify the causes for security issues so businesses can then drill into the data in more detail to understand how to resolve them.
As today’s organisations need to adapt to a fast paced, dispersed and constantly changing business environment, CISOs and IT managers need to ask themselves how they must adapt to the vast amounts of information available to them, and what steps can be taken to manage and mine the expanding universe of users, access and identities. Real-time access risk intelligence is an effective approach to tackling these challenges and ensuring that security risk is kept to a minimum.
Sourced from Chris Sullivan, Courion