A number of organizations are on track to review privileged online activity with reviews due for completion in the next two years. These reviews are expected to cut down on data theft and leakage by around one-third. In the meantime, there are a few things your IT department can do to manage privileged accounts and ensure data security within your organization.
1. Inventory Accounts and Account Holders
This tip is simple and should already be done. Each account holder should be fully vetted when you bring them on board in your organization. However, sometimes daily operations become overwhelming and account information and user data can become outdated. Your organization should do a full audit of all privileged accounts and ensure that these accounts are only being accessed by the proper account holder. Accounts that are no longer used or those that are assigned to employees that are gone should be closed or reassigned as necessary.
2. Password Security
When you brief new team members on their privileged accounts, you are likely careful to inform them that passwords should never be shared with other individuals, whether inside the company or outside vendors and service providers. However, in a time crunch or when one team member is out on vacation or home sick, employees may share passwords, so those in the office can access to information and accomplish tasks in the absence of the missing employee. Ensure that no passwords have been shared, and if they have, reset the password and offer re-education to employees on password security.
3. Minimize the Number of Accounts with Access to Privileged Information
Clean up the list of users with access to privileged data. It’s likely that some users don’t need privileged access. This not only helps to ensure data security, it also makes life easier for your IT department. Your information security team will have less work to do when the amount of privileged accounts is reduced. Monitoring those that remain will take up less time during the workday and allow other tasks to be done that may have taken a backseat due to time constraints.
4. Tighten Controls on Privileged Account Use
The activity and access of all privileged accounts should be monitored, no matter the level of the user in the organization. Upper-level executives and lower-level team members should all be monitored the same way, to ensure the greatest information security. Establish processes to monitor accounts that are currently in use. Review the process for assigning privileged access to account holders, and tighten up the process, if necessary. You should also review the records you keep on privileged account holders and ensure these records are complete and up to date, so you know exactly what information is being shared and who is sharing it with whom.
5. Use Temporary Privileges Instead of Allowing Unfettered Access
When a user needs to access privileged information the easiest way to do this is to apply permanent access privileges to the account. This takes less time for the IT department and keeps the user from constantly requesting access to data. However, this is a great way to cause a data breach or mishap that can damage your company’s reputation. Consider allowing temporary access to privileged information for some employees to help tighten down on the potential for data compromise. Remember to keep records on which employees have been given temporary access to privileged information, and when access was granted and removed.
Data management is important for several reasons. Establishing proper controls and procedures to maintain limited access to this sensitive information protects your employees and clients. Ensuring the security of your company’s data will also save money and time, and keep your reputation intact while other companies are being blasted in the media for allowing data to be leaked outside secure servers. Conducting regular audits and keeping a tight rein on your data takes surprisingly little investment of time and money, and ensures the security of information both within your company walls and outside your organization.
My philosophy when starting OTT was I wanted to create a place that I would want to work at (fun and friendly.) Where there was no corporate politics and we could just do our job fixing things and helping people. We can help people with their technology and not be arrogant or condescending to people. We can actually make a difference in peoples lives and not just say it but do it.