Earlier this year, SEC’s Office of Compliance Inspections and Examinations (OCIE) generated a report on Cybersecurity and Resilience Observations. The report addresses seven critical areas for planning your cybersecurity and resiliency strategies, one of those areas being access rights and controls.
Access rights refer to the information and resources that a user has access to and how they can interact with that information– such as viewing or modifying content. Access controls look to verify a person’s identity (authentication) and if they have permissions to do a specific activity (authorization). If your ID card gives you access to particular rooms in a building, those are your access rights. If a security panel requires facial recognition to enter a room, it’s verifying your identity and level of access to that room. This is an example of access control. Imagine what would happen if you lost your ID card which had access to an entire building. What would happen if someone used your ID card to impersonate you? These are the types of vulnerabilities that attackers prey on digitally.
Defining Rights and Reducing Damage
Human error can be costly when it relates to cybersecurity. According to Verizon’s 2019 Data Breach Investigations Report, popular methods used for causing a breach were stolen credentials at 29% and phishing at 32%. Phishing is when an attacker uses social engineering to obtain information about someone. An example would be sending you an email impersonating your bank. The email may ask for you to confirm data like your social security number or date of birth. Attackers are becoming more sophisticated, so these emails often seem authentic. Once attackers have a user’s personal information, their goal is to get as much data as they can, as quickly as possible.
It’s best practice for user rights to follow the rule of least privilege. Having minimal access means a user can only access the data and resources required to do their job. By minimizing user rights, an attacker with stolen credentials has access to a limited amount of information. For users who need access to many databases, create separate accounts to segment access.
When defining access rights, you should ask the following questions:
- What rights do users need to perform their job?
- Who is granting and approving these rights?
Systems and Procedures
It’s not enough to minimize user access. Controls need to be in place to verify user identity and prevent unauthorized users from accomplishing tasks. Configuring access controls should start with policy that is backed by leadership. Policies need to be dynamic and reviewed often. With working from home becoming the new normal, there are more devices and new types of technology connecting to your business. If technology changes, so should your policies.
Implement access management procedures that minimize risk:
- Periodically recertify users. Maybe their access needs have changed.
- Enforce scheduled password updates. Require passwords to be strong.
- Use multi-factor authentication (MFA), such as sending a code via text message.
- Be aware of personnel changes and revoke credentials immediately.
Monitoring and Prevention
It’s essential to have a monitoring system in place to detect unusual activity. With advancements in technology, content governance solutions can use artificial intelligence and machine learning to monitor user behavior and learn from it. If a user doesn’t typically try to access information from Boston, the system can flag this activity and notify your IT team.
In the event of a breach, you will need to prove what measures were in place to prevent the attack. Auditors will want to know each step that was taken before, during, and after the breach. No solution can guarantee a breach won’t happen, but having the right combination of policies, access rights and controls, technology, and industry experts can reduce the amount of damage.
At Coretelligent, we provide comprehensive solutions to mitigate cybersecurity and compliance risk. See how our CoreArmor solution can help lower your cybersecurity risk and increase your peace of mind. Contact us at 855-841-5888 or via email to firstname.lastname@example.org for a complimentary initial consultation.