Who Has Full Access to Your Data?
A disgruntled former employee is nothing new. However, in today’s digital work environment, an unhappy employee with unfettered access to your critical data is something to be concerned about. While it is essential to protect against cybercriminals, it also pays to be mindful of the threat in your own office.
What Happens When an Employee Maliciously Deletes Your Data?
Recently, a part-time employee at a credit union who was working remotely was terminated. As part of the credit union’s policy, the IT department was requested to disable the former employee’s access. Unfortunately, the action wasn’t completed, and the former employee retained access.
Within 40 minutes, the former employee deleted approximately 20,433 files and 3,478 directories, a total of roughly 21.3 gigabytes of data. Most importantly, the deleted data included files related to mortgage loan applications, customer personal information, and a whole lot more. A portion of the files that were lost also included the credit union’s cybersecurity documentation, which could potentially open up a whole new can of worms.
It shouldn’t be difficult to imagine the disruption the credit union and its customers faced due to the breach. Moreover, the credit union had only backed up some of their files, which means an undisclosed amount of information will be permanently lost. So far, the credit union has reportedly spent tens of thousands of dollars to retain what data they could. Still, this cost will likely increase as the organization tries to replace the data, the customers, and the reputation that they lost, in addition to the security risk due to their cybersecurity software being compromised.
This Is Easily Preventable
While the disgruntled employee takes full responsibility for this disaster, which we would classify as a data breach, the unpleasant truth is, the breach shouldn’t have happened in the first place.
Had the organization followed best practices, the data wouldn’t have been lost. This wasn’t a brute force attack that broke through their security. A former employee used their credentials, the same credentials they used every day, to access high-level information and delete it. This means that the employee could have deleted the information anytime they wanted to, regardless of their employment status. Any other employee with the same unfettered access could have done the same thing. Imagine the damage they could have caused if they had decided to be more subtle, perhaps slowly altering and stealing information instead of bluntly deleting it?
While hindsight is 20/20, the reality is that had the credit union followed the simplest best practices; their data would have been secure.
Don’t Give Everyone Unfettered Access to Everything
The primary goal of any business, especially organizations that deal with a lot of sensitive information, is to protect their data. Bar none, your data is one of your greatest assets, which is why it is so often targeted by bad actors: professional cybercriminals and disgruntled employees alike.
While cybercriminals seek to hold your data hostage with ransomware, a disgruntled employee’s goal is typically to damage your business. In a worst-case scenario, that only takes a few minutes and a handful of mouse clicks to do. Regardless of the rationale of the attack, the results are the same, the loss of your data.
It’s expensive. It’s time-consuming. It damages your reputation. It hurts the relationship you have with your customers. It hurts employee morale. It risks your business and the livelihood of everyone involved.
While the motivation for the attacks differ, the methods to damage your data are similar: gain access to your systems and prevent you from accessing them by locking you out through a ransomware attack or by deleting it as an act of revenge. Fortunately, the tactics to protect your data from disruptions are the same. They include:
- Training your team to recognize when something is amiss.
- Your team is your first line of defense when it comes to recognizing a cyberattack. Since cybercriminals will target your team, it makes sense to give them the skills to identify a cyberattack and the permission to contact your IT department to report it. Too often, team members are discouraged from contacting the IT department out of fear of wasting their time. Unfortunately, cybercriminals can capitalize on the delay and burrow even further into your systems when this happens.
- Deploying verification protocols to prevent unauthorized access (AKA MFA).
- Multi-Factor Authentication has taken its place as one of the most fundamental steps a business can take to protect its data. By adding at least one additional requirement to access your data, your business can repel most unauthorized users from accessing your system.
- Ensure that ALL of your data is backed up, each and every day, regularly, and that your backups are thoroughly tested every day.
- Your data should be stored securely on a device that employees don’t have digital access to, and another that they don’t have physical access to. That might sound harsh, but it’s not just to protect your data from your staff. An iron-clad backup solution protects your business from all kinds of threats, including cyberattacks, user error, and even natural disasters.
Managing Who Can Access Your Data is Essential
While the credit union failed to follow cybersecurity best practices in many areas, their most significant failure and ultimately the primary cause of their issues was the lack of access privilege controls. More than anything else, this shortcoming allowed anyone with access to their system the ability to manage and control high-level data with ease.
File and folder access permissions are just as important as controlling who has access to safe deposit boxes locked in a bank vault. While it could be acceptable to allow copies of keys to open the vault, none of the keys open any safe deposit boxes. That type of access is reserved for a small number of select people, and only a few keys even exist.
The same should go for any organization and its data. Your sales team doesn’t need access to accounting documents, stored credit card information, and network documentation. An employee should only be granted access to what they need to perform their job.
Are You Managing Who Can Access Your Data?
If there is one takeaway from this event, it is the importance of managing who can access your data. The news is constantly reporting businesses that experience devastating cyberattacks and IT mishaps, and despite this many organizations are still practicing poor IT hygiene. Don’t let yourself serve as an example for others!
If you aren’t sure where to start, call Directive today at 607.433.2200 for an IT audit. We will be able to tell whether or not your data is secure, and help you protect your business.