Access controls: Protecting your systems and data
Is your data properly protected?
Do existing staff or former employees have access to personal data they shouldn’t have access to? Keeping your business’ IT estate and personal data safe and secure is vital. One of the key ways to achieve this is by having robust access controls.
Failure to make sure you have appropriate measures and controls to protect your network and the personal data on it could lead to a data breach. This could have very serious consequences for your customers and staff, and the business’ reputation and finances.
How things can go wrong
- Recently a former management trainee at a car rental company was found guilty and fined for illegally obtaining customer records. Accessing this data fell outside his role at the time.
- In 2023 a former 111 call centre advisor was found guilty and fined for illegally accessing the medical records of a child and his family.
- In 2022 a former staff advisor for an NHS Foundation was recently found guilty of accessing patient records without a valid reason.
Anecdotally, we know of cases of former employees being found to be using their previous employer’s personal data once they have moved onto a new role.
The ability to access and either deliberately or accidentally misuse data is a common risk for all organisations. Add to this the risk of more employees and contractors working remotely, and it’s clear we need to take control of who has access to what.
High-level check list
1. Apply the ‘Principle of Least Privilege’
There’s a useful security principle, known as ‘the principle of least privilege’ (PoLP). This sets a rule that employees should have only the minimum access rights needed to perform their job functions.
Think of it in the same way as the ‘minimisation’ principle within GDPR. You grant the minimum access necessary for each user to meet the specific set of tasks their role requires, with the specific datasets they need.
By adopting this principle, you can prevent the risk of employees gaining more access rights over time. You’ll need to periodically check to make sure they still need the existing access rights they have. For example, when someone changes role, their access needs may also change.
If your access controls haven’t been reviewed for a long time, adopting PoLP can give you great start point to tighten up security.
2. Identity and Access Management
IAM is a broad term for the policy, processes and technology you use to administer employee access to your IT resources.
IAM technology can join it all up – a single place where your business users can be authenticated when they sign into the network and be granted specific access to the selected IT resources, datasets and functions they need for their role. One IAM example you may have heard of is Microsoft’s Active Directory.
3. Role-based access
Your business might have several departments and various levels of responsibility within them. Most employees won’t need access to all areas.
Many businesses adopt a framework in which employees can be identified by their job role and level, so they can be given access rights which meets the needs of the type of job they do.
4. Security layers
Striking the right balance between usability and security is not easy. It’s important to consider the sensitivity of different data and the risks if that data was breached. You can take a proportionate approach to setting your security controls.
For example personal data, financial data, special category or other sensitive personal data, commercially sensitive data (and so on) will need a greater level of security than most other data.
Technologies can help you apply proportionate levels of security. Implementing security technologies at the appropriate levels can give greater protection to certain systems & data which demand a high level of security (i.e. strictly-controlled access), while allowing non-confidential or non-sensitive information to be accessed quickly by a wider audience.
5. Using biometrics
How do you access your laptop or phone? Many of us use our fingerprint or facial recognition which give a high level of security, using our own biometrics data. But some say, for all their convenience benefits, they are not as secure as a complex password!
But then, how many of us really use complex passwords? Perhaps you use an app to generate and store complex passwords for you. Sadly lots of people use words, names or memorable dates within their passwords. Security is only going to be as good as your weakest link.
6. Multi-factor authentication (MFA)
Multi-factor authentication has become a business standard in many situations, to prevent fraudulent use of stolen passwords or PINs.
But do make sure it’s set up effectively. I’ve seen some examples where MFA has to be activated by the user themselves. So if they fail to activate it, there’s little point having it. I’ve heard about data breaches happening following ineffective implementation of MFA, so do be vigilant.
There are an array of measures which can be adopted. This is just a taster, which I hope you found useful – stay safe and secure!