Select Page

Your company has been hacked. Did you even know?

By Ron Onur Aksoy

It’s a disturbing headline, isn’t it? And though you may not realize it, there is a very good chance that your company has experienced a breach without even knowing about it. Now, that’s not to say anything has been stolen, or that any horrible consequences are about to befall your organization: the stark reality is that you are vulnerable whether you’re aware of it or not.

For example, take the realities of cloud computing. The concept is simple: enable access anywhere, anytime for seamless connectivity and productivity. However, with this great functionality and opportunity for bigger and better things comes the scary part of cloud. The access that is given for all the good things cloud has to offer is also its biggest threat.

One of the primary challenges that most companies face is simply the lack of access management. Think of it this way: if a person works in the compliance department, that person should have access to compliance-based materials. Whether that’s reports, files, access to systems and applications, that access should be granted only on an as-needed basis. But that’s not always the case.

In many instances, as people move from department to department within an organizations—upward or lateral moves—the need to access information types changes with the position and job description. Therefore, with the previous example of a person in the compliance department, if and when they move to another department, let’s say Human Resources, shouldn’t their access to compliance materials be revoked? The answer is, of course, “yes.” The chances of it happening, however, are far less than you’d imagine.

That is not where this issue ends. Aside from employees having access to things they shouldn’t, there is a far greater threat for data breaches. How many contractors, consultants, temporary employees, people about to retire, and so on, have access to systems and files via the cloud? Most likely, far too many.

Now, if all of these people are still working at their respective tasks, great! Keep them working and producing. But what about the contractor who completed the job six months ago who still has access to files? What about the person who retired last year, yet can still log into systems long after the last piece of cake is served at their farewell party? Get the picture?

In fact, here is a perfect example. A good friend of mine told me about a colleague of his, a virtual CFO who works with a multitude of companies. That CFO left an organization, and yet almost a year later was still able to log into the company’s accounting software. And though no nefarious acts were carried out, and the CFO being a stand-up guy notified the company immediately so that his access could be revoked, this issue of access is of great concern. The potential for crime was created without a single bad guy “hacking” anything.

So, what needs to be done to fix this? Identity and Access Management (IAM) is one of the easiest and most effective ways to stop data breaches. And given that the latest stats show that 75% of breaches are from internal threats, the path becomes pretty clear as to what to implement first when contemplating a cyber-resiliency plan.

The threat is real and the partial solution is at least pretty simple. Making sure that there are roles and responsibilities assigned to access management is a great first step. Monitoring who accesses what, when, and for what reasons will at least paint an accurate picture of potential threats.

After all, the last thing you need is your financial data, internal reports, and more strewn across the internet for all to see. Because the worst headline will always be, “Your company has been hacked.”