It all began with a common procedure
Jerry works for the development department in a medium-sized company. For personal reasons, he has to work from home for a few weeks – something the company normally does not allow. However, since Jerry has been a long-standing and reliable part of the team, the company decides to make an exception: the IT department sets up a VPN connection for Jerry on his private PC at home, so he can continue working on his projects.
After three weeks at home, Jerry returns to his workplace at the company. However, his supervisor forgets to inform the IT department about his return because the focus is on getting Jerry back on track with the current project his team is working on. The VPN connection is therefore forgotten and never disabled.
After some disputes with his supervisor, Jerry accepts a job offer from another company in the region and makes a decision with far-reaching consequences: He begins to steal work data from his current job, with the intention of bringing it to his new job. Jerry considers his options and decides that transferring the data to a USB stick is not an option, as the built-in device control prevents this, and e-mailing the results seems too risky as well. However, unlike the company’s IT department, Jerry has not forgotten about his still existent VPN connection.
As later investigations of the log files show, Jerry managed to copy confidential data to his home PC over a period of several weeks, using the VPN connection. The stolen data included CAD drawings and calculations of his former employer’s unpublished products. Had Jerry not blown his own covers by mentioning the data theft to a colleague in an inattentive moment, he would have caused damages of several million Euros to his former employer.
How can I protect my business?
To avoid this particular security risk, the IT department of Jerry’s company should have activated a suitable policy or DLP function in the VPN software. However, there are far more possible gateways for unauthorized access than just via VPN – for instance:
- Continued use of applications or privileges that should have long been removed, but still exist as remnants of previous activities in former departments
- Continued use of user accounts belonging to colleagues who have already left the company
- Continued use of project-related rights or other temporary rights that are still active, even though they should have been removed
The only reliable protection against such situations is provided by the principle of least privilege, which states that: „A user account (or process) should only receive those privileges which are essential to perform its intended function.“ If Jerry’s VPN connection had been disabled when he returned to his workplace, he could not have stolen the data using this gateway.
How can I achieve the principle of least privilege?
There are several ways to achieve this principle. With tenfold, you can easily implement all of the necessary procedures, which are outlined below:
- Standardize privileges and automate them:
Use the tenfold profile assistant, for instance, to find out which privileges are part of the standard set for your departments. Make sure that users receive the relevant privileges upon joining a department (so they can start work immediately) and that these privileges are withdrawn again once they leave the department (to ensure data security).
- Work with temporary privileges:
If you assign additional privileges outside the standard set for a department, always set an expiration date for them. If you need to resort to manual methods, you can do so by using a calendar with reminder function in Exchange. tenfold is able to conduct and automate this workflow and even provides a reminder with which the duration of the privilege activation can be extended automatically.
Establish a recertification process:
Data controllers should be required to check regularly whether accesses still correspond to actual business operations and demands. If everyone adheres to these processes correctly, it is fairly easy to detect unauthorized access quickly. Jerry could not have stolen data from the company had a solid certification process been in place. The disadvantage here is that, if the process is not system-based, collecting all of the necessary data to implement a certification process is very time-consuming for IT departments and also tedious for data controllers, who have to enter the data manually. tenfold offers integrated support for re-certification, while adhering to all necessary best practices.
Unauthorized access is a major problem. Theft of intellectual property and unauthorized access to personal information can have serious financial consequences and severely damage your company’s reputation.
You must therefore ensure that all employees have correctly set access rights that are in line with (and do not extend beyond) their needs for carrying out their specific jobs.
There are numerous approaches to achieving a high level of data security. However, the manual efforts and operational discipline required to implement these methods is discouraging to many companies or can lead to inadequate results. If you opt to use the appropriate IT tools – such as tenfold – you will soon see and feel an increase of success and IT security.