Access controls: Protecting your systems and data

August 2022

Is your data properly protected?

Do existing staff or former employees have access to personal data they shouldn’t have access to?  Keeping your business’ IT estate and personal data safe and secure is vital.  One of the key ways to achieve this is by having robust access controls.

Failure to make sure you have appropriate measures and controls to protect your network and the personal data on it could lead to a data breach.  Which could have very serious consequences for your customers and staff, and the business’ reputation and finances.

A former staff advisor for an NHS Foundation was recently found guilty of accessing patient records without a valid reason.  The ability to access and either deliberately or accidentally misuse data is a common risk for all organisations.

Add to this the increased post-Covid risk of more employees and contractors working remotely, and it’s clear we need to take control of who has access to what.

High-level check list of areas to consider

1. Apply the ‘Principle of Least Privilege’

There’s a useful security principle, known as ‘the principle of least privilege’ (PoLP).  This sets a rule that employees should have only the minimum access rights needed to perform their job functions.

Think of it in the same way as the ‘minimisation’ principle within GDPR.  You grant the minimum access necessary for each user to meet the specific set of tasks their role requires, with the specific datasets they need.

By adopting this principle, you can prevent the risk of employees gaining more access rights over time.  You’ll need to periodically check to make sure they still need the existing access rights they have. For example, when someone changes role, their access needs may also change.

If your access controls haven’t been reviewed for a long time, adopting PoLP can give you great start point to tighten up security.

2. Identity and Access Management

IAM is a broad term for the policy, processes and technology you use to administer employee access to your IT resources.

IAM technology can join it all up – a single place where your business users can be authenticated when they sign into the network and be granted specific access to the selected IT resources, datasets and functions they need for their role.  One IAM example you may have heard of is Microsoft’s Active Directory.

3. Role-based access

Your business might have several departments and various levels of responsibility within them.  Most employees won’t need access to all areas.

Many businesses adopt a framework in which employees can be identified by their job role and level, so they can be given access rights which meets the needs of the type of job they do.

4. Security layers

Striking the right balance between usability and security is not easy.   It’s important to consider the sensitivity of different data and the risks if that data was breached.  You can take a proportionate approach to setting your security controls.

For example personal data, financial data, special category or other sensitive personal data, commercially sensitive data (and so on) will need a greater level of security than most other data.

Technologies can help you apply proportionate levels of security.  Implementing security technologies at the appropriate levels can give greater protection to certain systems & data which demand a high level of security (i.e. strictly-controlled access), while allowing non-confidential or non-sensitive information to be accessed quickly by a wider audience.

5. Using biometrics

How do you access your laptop or phone? Many of us use our fingerprint or facial recognition which give a high level of security, using our own biometrics data.  But some say, for all their convenience benefits, they are not as secure as a complex password!

But then, how many of us really use complex passwords? Perhaps you use an app to generate and store complex passwords for you.  Sadly lots of people use words, names or memorable dates within their passwords. Security is only going to be as good as your weakest link.

6. Multi-factor authentication (MFA)

Multi-factor authentication has become a business standard in many situations, to prevent fraudulent use of stolen passwords or PINs.

But do make sure it’s set up effectively. I’ve seen some examples where MFA has to be activated by the user themselves. So if they fail to activate it, there’s little point having it.  I’ve heard about data breaches happening following ineffective implementation of MFA, so do be vigilant.

There are an array of measures which can be adopted. This is just a taster, which I hope you found useful – stay safe and secure!

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.