Insider threats are a growing concern for any large corporation.  In 2016, 40% of successful breaches were due to outsiders, but 37% were due to insider threats. These numbers show that these types of attackers are just as popular as threats caused by employees, vendors or corporate contractors. Insider threats include anything from simple employee negligence to more malicious attacks where the employee steals data. When data is lost, it can cost thousands of dollars in penalties. Even if the breach was on accident. One major reason for the success of these attacks is that permissions aggregate instead of security setting a “need-to-know” basis for access.

The Concept of Need-to-Know Access

You’ve probably seen those television shows where confidential information is leaked from an insider. In the real world, it’s very similar to cyber security threats. Someone with legitimate access to a document or set of data is able to retrieve it, store it, and send it to a third party. Only people who need to know should have access to any confidential information.

How do IT people understand a need to know the situation? Usually, a manager or executive that “owns” the data signs off on permissions. They verify that the person who has access needs to have access to it to perform their job function. The manager signing off on the access permissions take ownership for the person that has access, and they manage users who should have access.

When you have a list of permissions and give ownership to managers, you then have a paper trail, should the user leave the company. It also takes responsibility away from an IT administrator who does not know who should have access to what data. Lots to do, little bandwidth.

Permission Aggregation

Permission aggregation is a security issue when users move from position to position within the company and never have any of their permissions revoked. Permissions to data for another organization within the enterprise are left intact. This breaks the “need-to-know” standard because once the employee moves to a different position, they no longer need to have access to data from the previous position. Only let the right ones in. Only let the right ones stay. Keep everyone else out!

Some users move positions several times within the organization. This happens mainly with large enterprises that have several layers of data. Often, this data is much more sensitive than in smaller organizations.

After the employee moves several times across the enterprise, they’ve aggregated permissions and have access to data across multiple divisions. This gives them access to almost the entire library of data that is worth millions to the right buyer. This permission aggregation habit leaves the organization open to severe insider risks and threats should the user either negligently or maliciously decide to steal data and send it to a third party.

It’s also not uncommon for employees to share passwords and other credentials. Plus, this allows other employees access to data under the wrong credentials. This can lead to insider threats and make it difficult for security to identify them due to poor credential management.

How Do You Handle Permission Aggregation?

Permissions, permissions. Instead of adding permissions without revoking them, each time an employee moves to a different position, previous permissions should be evaluated. Any current permissions should be evaluated on a “need-to-know” basis and any of them that aren’t necessary should be revoked. Evaluate permissions between IT, security, and current and former managers of the employee. Ensure that checks are in place to make sure permissions are up-to-date. This takes active monitoring. But the results are worth it.

Avoid permission aggregation by routinely revoking permissions. Don’t let the threat of lingering permissions grow. Every second counts. It also stops insider threats from any other users that have access to the employee’s credentials.

To safeguard your organization from insider threats from unlocked desktops, GateKeeper 2FA + password manager can help. Remember, keep things on a need-to-know basis. Let automation keep things secure so people can focus on their core tasks.