As businesses endeavor to explore new horizons of possibilities riding the unprecedented growth in information and communication technologies, data security concerns are at the forefront of conversations, and thankfully, involving even the board of directors. However, the recent history of information security is replete with organizations’ unsuccessful efforts to protect valuable data. Institutions across every industry are exhibiting fragile/futile risk management approaches.
While efforts at proactive IT risk management in banking are viewed as unconvincing, retailers getting hacked over and over again are exposing security risk management in the retail industry and preventing information security breaches in healthcare has become a critical function for the industry. The rising risk events are making the savvy consumer ask, are you prepared? Most companies try to re-engage the consumer by presenting the false positives surrounding their security infrastructure forward.
This unintentional projection effort more often emanates from the fact that organizations usually have the larger security gap areas covered. However, seldom do companies realize that in an endeavor to plug larger and noticeable flaws, one of the vital areas of information security management system (ISMS) – access control – is kept bare. An organization which takes access control into account as a significant component of risk management system can keep IT risks at bay to a considerable extent and limit dollar loss, which is pegged at $15 million per annum per large company in the US, according to Ponemon 2015 Cost of Cyber Crime Study: United States.
Security of information within an organization affects the way it performs and is affected by the people who have access to it, either direct or indirect. It has emerged that the infamous Ashley Madison breach was executed by a “close” party, presumably an ex-employee or vendor whose access rights were not revoked or monitored. The fact that the cheating website did not utilize data access properly showcases poor access control measures, which allowed “The Impact Team” to potentially expose millions of users comprising more than 10,000 .mil or .gov email addresses.
Although the Ashley Madison breach was not entirely financially motivated, risk events resulting from poor access control culture could have business-threatening consequences. However, the strategies required to prevent such devastating impacts revolve around small, basic things that govern permission granting and limiting access to information facilities. Stricter access control measures guided by a risk aware culture could enable higher detection chances, making intrusion difficult for perpetrators.
Information owners must lay down user-specific access control norms, access rights and limitations within the larger information security risk infrastructure. The necessity of the enforced access control measures should be clearly stated to the stakeholders and should be followed up by ensuring adherence to the possible level without impeding growth. Further, the senior workforce of the institution needs to exhibit exemplary culture by sacrificing convenience for the sake of security. It is of paramount importance as it will inspire the general workforce to embrace tolerance for inconvenience and dissuade stakeholders from compromising on security in favor of convenience.
Safe access control parameters would create a collaborative security culture, leading to a robust information security framework. A culture thus built would likely be all-pervasive and create an invisible framework for operational risk management, which in turn would bridge commitment and execution in risk management. An organization that puts access control at the forefront of information security management system (ISMS) takes into consideration relevant legislation while at the same time being mindful to seemingly insignificant aspects such as access administration which include periodic review of access rights and timely removal of access rights.
Access control works differently for different industries and even varies from company to company within the same industry based on the nature of process that determines system access or restrictions. While doing small things perfectly to the extent possible matter to a considerable level, gaining increased control by following the most widely accepted code of practice, namely the ISO/IEC 27002:2013 certification – which allows choosing the controls applicable to your organization’s ISMS – would ensure business performance in the risk-intensive world.