This is the fourth in a series of posts in honor of National Cybersecurity Awareness Month. Each day this week, we’re sharing a practical cybersecurity tip for small businesses.
Cybersecurity attacks might conjure up images of hackers in hoodies clacking away in the shadows, but did you know that your own employees pose as great of a security threat if not more? According to CA Technologies’ 2018 Insider Threat Report, 66% of the organizations surveyed consider malicious insider attacks or accidental breaches more likely than external attacks. A 2018 Ponemon Institute report found that of the 3,269 insider incidents it evaluated, 64% were related to negligence, 23% resulted from a criminal or malicious insider, and 13% resulted from stolen credentials. Findings like these raise the question: Does everyone in your organization really need access to all your data?
Probably not. Employees should have the information they need to do their job, of course. But granting unlimited access to information is dangerous. Employees need not even have malicious intent to pose a threat. If an employee’s credentials are compromised, all the data to which the employee has access rights is at risk.
A similar risk applies to third-party contractors with access to company data (web developers, freelancers, bookkeepers, outsourced HR administration services, etc.). Contractors should have no more access to information systems than necessary to perform their scope of work. Some mistakenly believe a non-disclosure agreement is a substitute for limitations on access. A NDA could provide you a remedy if a contractor misuses company information, but it isn’t as effective as access controls in preventing information from falling into the wrong hands.
Limiting access to data has another benefit. If you want to claim that certain information is protected as a trade secret (note that trade secrets are often the subjects of NDAs), you’ll have to demonstrate that you took precautions to keep the information secret. As an example, the definition of “trade secret” in Hawaii’s trade secret protection law requires a showing that the information at issue “is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” Similarly, technical limitations to access may be necessary to enforce claims under the Computer Fraud and Abuse Act (CFAA), as the Ninth Circuit Court of Appeals ruled in a recent decision.
Access controls should be one of the considerations in structuring and organizing your data systems. A well thought out system segregates data so that granting access isn’t an all-or-nothing proposition. “Internal gatekeeping” of data goes a long way toward preventing loss from cybersecurity incidents.