It seems like hardly a day goes past without news of another major data breach or cyber attack. In fact, recent research from DLA Piper revealed that 59,000 breaches have occurred since the implementation of the General Data Protection Regulation – with the likes of Toyota, Quora, and even Google coming under fire.
While it’s widely known that data breaches incur a significant financial penalty under GDPR – up to €20 million or 4 per cent of the company’s global annual turnover – what is far less understood is who’s responsible (and who pays the price) for a breach due to employee negligence or criminality, sometimes referred to as ‘vicarious liability’.
A recent example from the UK illustrates the problem – with a major supermarket chain fighting an earlier ruling that made it liable for one disgruntled employee’s leak of the personal details of 100,000 colleagues online. While this battle continues through the courts, what is clear is that companies are currently considered to be vicariously liable for the actions of their employees and the security of both employee and consumer data.
Forgetting to hand over the keys
Whichever way the issue of corporate responsibility is resolved, businesses of all sectors and sizes need to ensure that their employee and customer information is properly protected. This may seem like an overwhelming task, but the truth is data breaches are often – perhaps predominantly – caused by simple, avoidable errors during day-to-day processes.
For example, companies often fail to consider whether employees can still access this information once their employment has been terminated, as seems to have been the case in the supermarket breach. While this should be easily avoidable, it continues to be a massive problem for businesses, as our own research reveals.
In SailPoint’s most recent Market Pulse Survey, we found that almost half (47%) of employees who leave a job still have access to their former organisation’s data via corporate accounts (17%), cloud storage (16%) or mobile devices (14%). That’s an astonishing figure. After all, no landlord would forget to ask their tenant to hand over their keys once they vacate a property, yet this is pretty much exactly what many – indeed, nearly 50% of businesses are doing with their former workers.
It only takes just one employee to cause massive, perhaps irreparable damage to a business’ reputation by accessing and sharing enormous volumes of sensitive data. So, beyond ensuring that they remove access to corporate systems immediately after the termination of workers’ employment, how can they best protect their data and avoid a damaging breach?
Managing access becomes more complex
If your organisation has been lucky enough to avoid a serious data breach, that’s not necessarily cause for complacency. Until you can ensure that you control every worker’s access to sensitive data, including and especially after they’ve left your business, the stable door remains wide open. It’s only a matter of time before an employee accesses and leaks sensitive information, either maliciously or by accident.
Instead, congratulate on your good luck so far – and take steps today to improve your organisation’s identity governance.
This can seem a daunting task at first, especially if your IT teams currently spend significant amounts of time struggling with the complex question of who has access to what. This difficulty is often compounded when an organisation is going through a period of significant changes, for example during digital transformation projects, when a company may be making many new hires or employees changing roles.
Any change to the workforce – even the promotion or sideways move of a single employee – heightens the risk of a worker being able to access information or systems that they’re no longer authorised to view. Similarly, it should be obvious that when an employee leaves, their access privileges are immediately revoked, but sadly we’ve seen how this often isn’t the case.
But there’s another side to the coin. When an organisation forgets or otherwise fails to update an employee’s access, they can leave ‘orphaned’ accounts, and these represent a particularly tempting target for hackers. That’s because hackers can use these as cover, hacking into unguarded, unwatched dormant accounts to steal sensitive data through seemingly legitimate access and without raising the alarm.
Making identity governance manageable
Faced with the growing complexity of access management, how can an organisation respond without further burdening already-overstretched IT teams?
The answer, as with so many other areas of business today, is through intelligent automation of access. Choosing the right identity governance solution means that an organisation can manage access far more effectively removing, at a stroke, the risk of forgetting to update privileges whenever an employee’s role changes or when they leave the company.
An effective identity governance system can also help you to manage potential security and compliance risks, while also ensuring that every digital identity throughout the organisation is kept secure. What’s more, they provide a far-enhanced level of oversight so that IT and other parties can easily keep track of who can access what data.
The lesson is clear: don’t lock your stable door after the horse has bolted. It could be galloping away with your most precious resource: your company’s most sensitive information.