By Calum Macleod, European Director of Cyber-Ark – The Digital Vaulting specialists
What would you consider the value of your company’s data to be? Consider your organisation’s research and develop data, marketing strategies, client database, and all your financial data. What would it be worth to you to have that data returned if you discovered that the only up to date copy had “left the building”? Would you consider offering a public reward to anyone who could supply any information relating to apprehending the people responsible for the theft of every piece of valuable and confidential data that your organisation possess? Would you actually still have a job? Would you know if it happened? The reality is that in many organisations senior management are totally oblivious to the extent to which sensitive information is being leaked outside.
Would you know if your head of finance is so paranoid that he or she keeps all the company’s financial data on his company notebook just to be sure that no one can access it? And yet recently a multi-national, publicly traded company discovered this to be the case when the hard disk crashed on the notebook!
The reality is that most of you are sitting on a ticking bomb and are totally oblivious to the risks being taken with your business by your employees, and frequently it is those in the most responsible positions that represent the biggest risk.
The area that represents one of the major risks to your well being is your IT department. Everything that your organisation does today will use IT in one way or another. In fact the operation of your business is effectively in the hands of your IT department, and in some cases in the hands of staff working for some company to whom you outsourced your IT services. Outsourcing has become a very popular approach because it allows you to reduce your costs and in many cases reduce head count by moving your IT staff to your outsourcer. Attractive as this might be, it frequently is resented by staff who are forced to move and these same staff undoubtedly are still doing the same job as they were when they were your employees, with the same access to your confidential information. Investigations over the past year by a number of independent bodies have identified that as much as 90% of business sabotage is perpetrated by IT staff.
Who Is Looking After Your Infrastructure?
Behind every successful use of your PC or connection to your email, or access to some application that gives you critical data about the state of your business there’s an IT person who is making it all possible. And to make it possible it means that they can access any of your systems, including your PC at any time and look at anything that might be on that system. In fact not so long ago I met with a company where a director was exposed for using his notebook to visit porn websites after one of the IT staff connected to the director’s PC during the day without the user’s knowledge. After all in order to do his job, the IT administrator had the administration password for every PC in the company! Unless there are proper controls such as Privileged Password Management, everything you have on your PC including your email, saved passwords in your browser, and even files that you have opened in your PC are fair game to the person with the Administrator account – and this is while you’re working and you wouldn’t even know it was happening!
Every system and application has at least one privileged account. And these accounts are shared by many people. The privileged account, in the form of administrator accounts and operator accounts are a requirement for every system and application, and this is what makes it possible to keep your systems running. And it is the privileged account that provides the largest exploit opportunity in today’s enterprises. A compromise of the right privileged account, or set of accounts, may create an unknown “puppetmaster” atmosphere where a third party has total control over a computing environment – unfettered access to programs, services, and data. And you can’t just “turn off” privileged accounts because they perform critical functions. Deleting or disabling a privileged account would lead to computers running themselves (or not running) with no human control and no possibility of management. A complete rebuild of these systems becomes a likely consequence.
For Your Eyes Only
It may be for “your eyes only” but if it’s on a company computer system then you can be sure that there are others who are able to use their IT privileged status to have a look. In the banking world, payment files are usually exposed to system administrators. And since these files are used between applications they are not secured. So as a result a systems administrator can easily access a payment file, make a “slight adjustment” and you’d probably never know until the postcard arrives from Paraguay!
The day to day needs of information transfer with users who are not part of the enterprise are growing. Distributing data from back-end systems to customers, or sharing information with partners and other 3rd parties - these types of communications are becoming vital for e-Business.
Financial reports need to be distributed to business customers; legal and financial information needs to be shared with lawyers or board members who are located out side of the enterprise; highly-sensitive Clinical trial information is shared among research laboratories, medical professionals and federal institutions. Payment or salary wire-transactions are also examples of day-to-day file transfer needs, as well as contracts, patents and other types of sensitive information that is exchanged or shared on a regular basis with external entities.
It could also affect the party with whom this information is concerned, and damage the organization's reputation. For example, imagine the results of an M&A agreement exposed before the deal is closed, or a sensitive design file shared with a manufacturer or supplier that has leaked. Other than the implications on the organization itself, there are also regulation issues of personal liability for mismanaging sensitive information.
You can use digital vaulting to eliminate this risk using a unified solution to secure both privileged access and highly sensitive data. It means you can put all your sensitive documents under a virtual lock and key, only making the information accessible to those who have permission to access that information. It’s a product the auditors and IT security people love because you know exactly who has access to the information and when. It also means that the IT department no longer have total control over every person’s computer systems! So unless you’re like Croucher Brewing Company in New Zealand that is offering Free Beer for Life for the return on their corporate secrets, then its time to take control otherwise the monkey will continue to be the organ grinder!
www.cyber-ark.com