Far too often, we are seeing cyber security incidents headlining the news and other media. From the Rasonmware attacks back in May and then June, to the most recent findings of hackers attempting to access critical energy plants. Many companies, especially those that aren’t large corporations, might think to themselves, “Why would a hacker ever target my company?”. Well surprisingly, many times the person behind a cyber security incident doesn’t turn out to be your stereotypical “hacker”.
Recent reports are showing that disgruntled employees are increasingly becoming a big player in cyber security incidents. A report published by Crowd Research Partners found that out of a group of 300,000+ information security community members, 67% felt it is more difficult than a year ago to detect/prevent insider attacks due to insiders already having privileged access to the resources. In the same study they found that 75% of this group estimated the remediation cost of an insider attack to cost between $100k-$500k with the other 25% estimating costs greater than $500k and into the millions.
So how does your organization protect itself from employees intentionally altering, deleting, or leaking critical business information? A great way to start, is having a clear idea on the exact privileges the different employees at your company should have. Make sure when designing your policies, you have fully thought out all separation of duty restrictions and inheritance privileges employees will need. Once you have designed your access control policies it is very important to then test and verify they are working as intended. Consider using a powerful Access Control Policy Verification tool to test combinations of your policies against different security requirements. This will allow you to easily identify hidden errors and know without doubt that the correct employees are receiving the access privileges that your organization intends.
Not sure if your organization has a tool to verify access control policies? Check out InfoBeyond’s Security Policy Tool , a commercial version of NIST’s ACPT which has been downloaded by more than 460 companies and organizations. You can register for a Free Demo on their website (www.securitypolicytool.com) and see for yourself how simple it is to verify that your organization’s access control privileges are working as intended.