Tesla employee, pulling “hundreds of gigabytes” of proprietary data from company computers, and installing it on a personal hard drive. Sándor Bálint, security lead for applied data science at Balabit commented below.
Sándor Bálint, Security Lead for Applied Data Science at Balabit:
“When talking about privileged access, most people immediately think of system administrators possessing low level access rights to computer systems. The truth is, anyone at an organization who has access to sensitive information should be considered a user with a privileged level of access, and treated as such – regardless of their position, department, tenure, title or pay grade.
For many organisations, broad access to data is seen as desirable from a business perspective, as it directly increases business agility, fosters internal cooperation, and enables better decisions. This is especially true in a field where data, and the various ways of processing that data, constitutes the primary value the organisation delivers, and forms the main competitive advantage it has over its competitors. A reduction of lost time due to fighting access rights limitations translates into increased revenue, and therefore strict control of access is often seen as an impediment to business. All this results in an explosion in the number of privileged users, and with it, an implicit shift of the balance between security and trust, pushing it firmly in the direction of trust. Where security ends, trust begins – unfortunately, when that trust is broken, security suffers.
All that said, a company dealing with confidential and proprietary information should probably not allow hundreds of gigabytes of its most sensitive assets be copied to an employee’s personal hard drive. There is simply no legitimate reason why such data (and in such volume) should be stored on a personal hard drive. Backups and restoration of such information should be handled by corporate IT. Such actions, even if not entirely prevented, should at least be detected by internal controls, and once detected, ought to prompt an immediate investigation and possibly result in corrective action.
It is OK, to trust employees to get anything done. But such trust does not need to be blind trust. “Trust but verify” is a tried-and-true, basic security principle: you may not be able to protect an asset by putting a fence around it, but that doesn’t mean you can’t (or shouldn’t) monitor it and respond immediately if something suspicious happens. By using enhanced monitoring technologies, including advanced behavioural analytics, it is more likely actions that are out of the line are discovered, and a combination of timely discovery and rapid response often offers a good alternative to preventive controls, providing comparable security without unnecessarily constraining the business.”