Give All Employees a Master Key
As preposterous as the title sounds, a large percentage of SMBs and many larger organizations do just that - with their information assets. A recent study by the Ponemon Institute including over 2,200 end users and IT staffers demonstrates my premise quite clearly. A whopping 71% of end users indicated that they had access to company data that they did not need to do their jobs. Of greater concern was the response from IT personnel. According to the article in Security Week, "Some 80 percent of the IT pros said their organization does not enforce a strict least-privilege data model, and only 47 percent of the 1,166 IT professionals said end users in their organizations are taking appropriate steps to protect company data accessed by them." Ouch.
The big news in information security this week has of course been the Sony data breach, which unfortunately overshadows the likely thousands of small mis-uses of company data by employees of their companies. There is certainly a strong profit motive for employees to steal data. The market for such data is very strong, and growing. It does not take the sale of data to someone with malicious intent to damage a company however.
Some years back, I caught a member of my help desk team at a financial company accessing HR documents for which he had no need, and gossiping about the information to other employees. His actions were fostering dissent and mis-trust in the organization. Even worse, some years prior to that an employee at a hardware manufacturer I worked for obtained individualized bonus information from a poorly protected email message, and posted it for the world to see. This caused major headaches for company management.
Sadly, for all of the small information disclosures we know about, there are probably hundreds or thousands that go undetected. This is doing untold damage to businesses, large and small.
If you have a business with more than a few employees, it is critical that you have a plan to control access to sensitive data. Employees should only have access to data they need to do their jobs. Access to data beyond their needs only provides an unnecessary temptation that sadly some will fall for. This brings to mind a saying we have had in the information security world for some years: "stinginess with privilege is kindness in disguise." It is a bit trite, but very true.
It is not easy to classify and secure information assets. Such a system is a pain to setup, and requires significant ongoing management. The cost of not doing so however can be much higher.
If you have a Windows Server, you have access to one of the fundamental tools used to help control information access - Windows Active Directory. Many companies use it, but a much smaller number use it effectively.
There are many other tools on the market that allow information access to be controlled with good granularity. Many content management systems for example will allow for this, with access audit trails as well.
For organizations using web-based systems. I recommend an identity management tool such as Okta, to help build and maintain proper access controls.
Just as it would be difficult and expensive to correct having given all employees a master building key, it is difficult or impossible to undo inappropriate data access. Once employees have access to data they don't need to see, you will never be sure what they accessed, and if the data was designated. As such, correct the problem BEFORE it happens.