One question many organizations must answer nowadays on the issue of access control is: How much access is too much? Access control has always been of top priority when it comes to the issue of security, however, monitoring who has access to what in today’s society matters more than it ever has in the past. If even one door (both literally and figuratively speaking) is left unlocked, it may have serious consequences for your organization.
Improper identity management can directly lead to employees using access cards or keys to conduct crimes, in fact, it’s a problem that many businesses find themselves facing. One industry where employee-access is a huge security issue is the airport industry. With a multitude of entrances/exits across numerous facilities, and a large quantity of staff members, it is crucial to make sure employees aren’t accessing areas they shouldn’t be or taking advantage of the access they are given. One instance of this type of scenario comes from Atlanta’s Hartfield-Jackson Airport in 2014. In this case, baggage handlers used their badges to bypass security and smuggle carry-on bags full of guns and other weapons onto flights. In total, over 120 handguns and 2 assault rifles were transported from Georgia to New York. This is just one example out of countless others where an airport employee used his/her access to smuggle contraband items past security and onto flights and illustrates the consequences of not monitoring employee access.
While it’s important to restrict and oversee physical employee access, it is also very important to limit and monitor electronic employee access as well, specifically when it comes to privileged accounts. Privileged accounts should be anything that contain valuable information, passwords, and access to other systems. It’s quite common to share this type of information in the workplace environment, and doing so can give disgruntled employees and/or hackers the ability to do serious damage to your business, such as transferring money, disseminating confidential information to the public, or installing malware on your computer. One recent example of what can happen when privileged accounts are infiltrated comes from the Democratic National Convention, where former DNC Chairwoman, Debbie Wasserman Schultz was forced to resign from her position after over 19,000 emails containing harmful information were released on the website, WikiLeaks.
If you feel that your organization’s vulnerable to events similar to the previously mentioned examples, there are steps you can take to try and prevent improper access control before it occurs. The first step is determining who needs access to what; a very basic question that must be taken seriously. Second, implementing a least-privileged access system will grant employees access only to the things they need. Finally, monitor the account activity you have granted. This will give you the ability to easily spot when a breach has occurred, what data has been accessed, and who accessed it.
As businesses become more dependent on access control to protect their data, and more reliant on a larger workforce to run their business, access control should be increasingly important in protecting your organization. Following these simple steps dilligently will help protect your business, the employees that work in it, and most of all, the customers that make up your business.