Today’s post is about “Data Protection.” All too often, we see the “everyone gets access to everything” approach in organizations. This approach seems to be commonplace in boutique and small organizations. While done with good intentions, this approach can have devastating consequences in the event of a cyber incident or an insider threat scenario. Would you give every employee access to your banking or HR records? How about full access by every employee to your email? Why would the marketing team need access to technical and possibly highly sensitive engineering data?
Good data asset protection considers a “least privilege” approach. Such an approach uses technical controls to maintain, monitor, categorize, classify, and securely handle data.
Here are some considerations:
Ask your IT team or vendor how data access can be controlled, managed, and audited.
Cloud-based file collaboration services (i.e., SharePoint, Dropbox, Box, Google Drive, etc.) have the ability to manage access. Ask your IT team/vendor to assist you.
Enable audit/logging on successful and failed data access events and maintain such logs for 90 days or more
Review access permissions periodically
Benefit: If done correctly, your organization can now measure and audit if data was exposed to or accessed by unauthorized 3rd parties. Often a crucial question to answer if a cyber incident is detected.
Have questions? Schedule a 20 minute call https://tiny.proactivediscovery.com/book-cyber-call