The danger of internal data theft

The media, news and Hollywood films of our time tell us about the dangers of foreign spies, hackers operating in the Darknet or a great cyberattack from a whole army of computer nerds. However, the reality can sometimes look different. A study by the auditing firm KPMG surveyed 1001 companies and found that 80% of all respondents fear internal data theft. 56% of all breaches of trade secrets occur because of the company's own staff, through so-called internal perpetrators. This means that James Bond and Co. do not account for the majority of the risk, but rather the company's own employees.

The reason is quite simple: there is a lack of appropriate tools to detect acute risks. Many companies lack control and transparency of access rights. What is needed is a rights management system that centrally and automatically regulates and organises authorisations and access rights. Because business secrets, copyrights, financial accounts or highly sensitive data of employees and customers are quickly endangered if the overview is lost and the opportunity becomes a temptation. Because once you have access, you can view, steal and pass on data unhindered. The aforementioned study by KPMG shows that 80% of the participating companies need to revise their authorisation concept. Because who is authorised for what is not fully apparent in many companies, which leads to chaotic conditions and quickly invites unauthorised action. Just one example: In the case of internal reorganisations, the old access rights often remain in place. This means that the former head of the personnel department can still view the employee files, although they have long since ceased to be responsible for them. Particularly in the health sector, with complex IT systems, medical staff are often given greater rights than necessary. Therefore, rights should only be granted according to the "need-to-know" principle, i.e. only those rights that are absolutely necessary for the performance of the work carried out. Applications for greater rights should go through several approval bodies. Practice shows that more rights are granted more often. Withdrawal of rights is rather rare. But this process is also very important.

So much for the problem. But what is the solution? The solution is to use an identity management tool. This controls the allocation and centralises the administration of access rights. The advantage is obvious: the assignment of rights is policy-driven, the overview of authorisations is guaranteed and the revocation of rights is secure. So, let's take our former head of human resources, who has now changed their position internally; the system automatically locks their user account and all access rights and deletes them permanently after a defined period of time. At the same time, they receive new accesses that are relevant for them from now on. Compliance requirements are thus met as the management of digital identities is documented and the granting and revocation of authorisations becomes traceable.

You are right to ask how your company can achieve these security standards. A reasonable method is to follow a multi-stage approach consisting of three basic steps.
 

Step 1: Analyse the authorisations in your company and identify existing security gaps! Only then will the automated and centralised administration of authorisations be possible.

Step 2: Introduce uniform role management! This way, you create automated processes for the assignment of rights, the possible circumvention of which would be detected.

Step 3: Import user data automatically into an identity access management system and create the connection with an HR system!

These steps will make your company as secure as possible to help prevent internal data theft. And this is necessary because, according to the study mentioned at the beginning, two-thirds of the participating companies expect an increase in crime by their own staff in the next few years. Don't be part of this statistic!