Tesla employee, pulling “hundreds of gigabytes” of proprietary data from company computers, and installing it on a personal hard drive. Sándor Bálint, security lead for applied data science at Balabit commented below.
Sándor Bálint, Security Lead for Applied Data Science at Balabit:
“When talking about privileged access, most people immediately think of system administrators possessing low level access rights to computer systems. The truth is, anyone at an organization who has access to sensitive information should be considered a user with a privileged level of access, and treated as such – regardless of their position, department, tenure, title or pay grade.
For many organisations, broad access to data is seen as desirable from a business perspective, as it directly increases business agility, fosters internal cooperation, and enables better decisions. This is especially true in a field where data, and the various ways of processing that data, constitutes the primary value the organisation delivers, and forms the main competitive advantage it has over its competitors. A reduction of lost time due to fighting access rights limitations translates into increased revenue, and therefore strict control of access is often seen as an impediment to business. All this results in an explosion in the number of privileged users, and with it, an implicit shift of the balance between security and trust, pushing it firmly in the direction of trust. Where security ends, trust begins – unfortunately, when that trust is broken, security suffers.
All that said, a company dealing with confidential and proprietary information should probably not allow hundreds of gigabytes of its most sensitive assets be copied to an employee’s personal hard drive. There is simply no legitimate reason why such data (and in such volume) should be stored on a personal hard drive. Backups and restoration of such information should be handled by corporate IT. Such actions, even if not entirely prevented, should at least be detected by internal controls, and once detected, ought to prompt an immediate investigation and possibly result in corrective action.
It is OK, to trust employees to get anything done. But such trust does not need to be blind trust. “Trust but verify” is a tried-and-true, basic security principle: you may not be able to protect an asset by putting a fence around it, but that doesn’t mean you can’t (or shouldn’t) monitor it and respond immediately if something suspicious happens. By using enhanced monitoring technologies, including advanced behavioural analytics, it is more likely actions that are out of the line are discovered, and a combination of timely discovery and rapid response often offers a good alternative to preventive controls, providing comparable security without unnecessarily constraining the business.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Most Active Commenters
Recent Comments
Meta’s fine over data privacy breaches underscores the critical challenges…
Hi, Thanks, that is really useful information. I do have…
“This is a very worrying attack that hit T-Mobile and…
“This latest cyberattack against T-Mobile may be smaller than previous…
“Genesis Market is a complex global criminal access marketplace. Buyers…