BLOG

How to steal information from everyone: Facing the biggest threats

Earlier this year, the Information Commissioner’s Office (ICO) announced that it intended to hand out its biggest ever fine (£183m) to British Airways for a data breach. The hot topic of cybersecurity was thrust back under the spotlight by this news. Though this breach was apparently the result of a ’sophisticated, malicious criminal attack’, the truth is that it’s easier to steal information from a company than many might think.

One of the biggest weaknesses of a company’s security lies in its staff. A business can have all the most sophisticated and intelligent tools and processes in place, but if it doesn’t have a good security culture, it is doomed. Employees must understand the impact and importance of security breaches and what they can do to avoid them. Otherwise, what is to stop a determined threat actor from simply tricking an employee into giving away sensitive information?

Insider Threat

Data theft isn’t always carried out by a stereotypical hacker, sat in a dark room, typing away at a laptop using code to weave through various security systems. It’s not all Anonymous, Fancy Bear and Lizard Squad. There are two key ingredients that provide the perfect conditions for threat actors to operate in: an employee’s access to data that they shouldn’t have, and a lack of knowledge, or vigilance, when it comes to protecting information.

How often do we hear someone willingly admit that they are ’terrible’ when it comes to creating passwords? Far too many people use the same combination of words or numbers for everything, or have a specific formula for their next password. It’s dangerously common.

Vulnerability Through Complacency

Now imagine a social setting – you’re at dinner, or having drinks with a group of people. The same conversation about passwords comes up, one person admits that they always use their next holiday destination. Everyone laughs, the conversation moves on and that throwaway comment is forgotten about…by most.

However, a little later, an unknown threat actor starts chatting to that same person. They start talking about holidays, he’s jetting off to Barcelona in a few months. And in that instance, this threat actor – who for all intents and purposes is nothing more than a friendly acquaintance – has the power to access all the data and systems that the soon-to-be holidaymaker can. A very straightforward example, but the principle stands.

Another hard truth for businesses is that not only do employees get tricked into handing out passwords, but they’re also frequently blackmailed or bribed. In fact, 25% of people admit that they would be willing to sell company data for less than $8,000. And it is only made worse by poor (or sometimes even non-existent) access management systems. Even if an organisation has countless security systems in place designed to stop external threats, there are still employees within these companies that have access to information that they shouldn’t. According to the Ponemon Institute, 71% of people say that they have access to important information that they shouldn’t, and what’s worse is that companies are rarely aware when this is happening. As a result, employees don’t receive the correct training, nor is the right culture in place to help protect the organisation from insider threat. Whether an insider maliciously intends to take information, or if they unknowingly give it away, this oversight can cause huge trouble for businesses.

Removing the Risk

Idax has created a solution for companies that are worried about important data falling into the wrong hands. Our solution analyses which employees have access to what, and highlights those who have unusual rights compared to their peers. These are the employees that can be the greatest threat to a company – whether they’re acting maliciously or not. If an employee isn’t clued in on how to protect their organisation’s data, there is little to stop a threat actor from stealing company information.

Idax allows managers to take charge of access rights with ease and accuracy, potentially avoiding the risk of cyber breaches in what is otherwise viewed as a dull and thankless task.

Mark Rodbert, CEO, idax Software

Do we still need entitlement reviews?

This blog is based on an article that Mark wrote for SC Magazine. Read the original piece here.

The conversation around security often focuses on hackers getting in. We talk about phishing scams being on the rise, using topical issues such as COVID-19 to trick users into clicking fraudulent links, and other innovative tactics attackers use to access networks.

However, what happens when an attacker gets into your network? Too many employees can access data that they shouldn’t be able to, and this puts companies at huge risk, allowing attackers to access sensitive information.

Moreover, an estimated 90 percent of tech crimes are committed by employees, and most data breaches are simply about access and opportunity. 75 percent of employees say that they have access to data they shouldn’t, and 25 percent of employees would be willing to sell company data to a competitor for less than £6,000.

These stats are concerning. Whether malicious or not, insider threat is a huge problem in business that needs addressing. To a certain extent, entitlement reviews serve the purpose of lessening that threat. If access to sensitive information and data is only given to those who require it, the chances of that data leaking out of the company lower significantly.

Despite this, entitlement reviews are a dreaded task for many managers. Typically completed manually, they can be time-consuming, thankless, and often prone to errors, with little demonstrable benefit. As a result, managers and businesses frequently question the necessity of entitlement reviews.

They can be viewed as a waste of valuable time, and even outsourcing the task can quickly become very expensive and slow when completed manually. After all, not every company will suffer the misfortune of being hacked. Realistically, the chances are low, but if and when data is leaked, there are major consequences and heavy prices to pay.

The wrong question

A lack of regular entitlement reviews, performed properly, will put businesses at a much higher risk of a wide range of potential problems, not to mention risking non-compliance with regulation. For example, former employees could potentially gain remote access to the company network and email system, the system could be compromised through the use of vendor passwords that never expire, there could be a misuse of dormant administrative accounts that are still active, or employees that move departments might keep their old privileges. Quite simply, if you perform entitlement reviews regularly, you’re more protected from these risks than if not.

Maybe we are asking the wrong question when we wonder whether we still need entitlement reviews. At the end of the day, they clearly play an important role in protecting sensitive information. However, manually performing the task is often at the bottom of every manager’s list.

Instead of asking whether we even need them any more, we should be thinking about how we can make them easier and more effective.

How can we make the process quicker and easier?

Managers shouldn’t have to trawl through countless files to help protect their business from insider threat, sifting through spreadsheets figuring out who wrongly has access to what data.

Any company that needs cyber-security (arguably every company on the planet, considering how digitally reliant we are today) needs entitlement reviews in some form. That’s a lot of potential man hours.

But businesses no longer need managers to spend countless hours reviewing each individual’s access to data, it’s all available through technology. Idax’s solution instantly analyses access rights across your organisation and provides insights into which employees have unusual rights compared to their peers – effectively performing the entitlement review for you, within minutes.

Our solution puts the user experience first, a significant change from hours of pouring over spreadsheets, reviewing every access right your employees have. Our intuitive user interface makes it easy and convenient to engage with the process, ultimately making the results more reliable.

There really is no excuse for companies to be avoiding entitlement reviews, potentially exposing themselves to massive consequences as a result. We do still need entitlement reviews, but they’re much easier to complete today than ever before.

How we have transformed every manager’s least favourite task

Reviewing their team’s computer access is one of those tasks all managers dread. The traditional approach is important in locking down internal threats. However, doing the job properly requires managers to spend long hours trawling through files, looking at systems their staff access, and deciding whether to approve or revoke access. Not the most exciting chore, and one that most managers have neither the knowledge or the tools to complete effectively.

It’s understandable that since it is such a thankless task, line managers often don’t give it the importance it deserves. Many fail to understand the importance of access reviews and the potential consequences should they make a mistake. After all, why should it matter if employees have access to things, especially if they’ve had it for a while?

This is the issue that idax addresses: how can you provide information that managers need to make quick and informed decisions, and what systems do you need to make sure those managers stay engaged through the process? Coupled with that, how do you use modern analytics to identify where intervention is needed, and make effective use of everyone’s time?

Internal security is often not taken seriously and there is a widespread lack of understanding from the boardroom down on where the risks lie. An estimated 90% of tech crimes are committed by employees; and most data breaches are simply about access and opportunity. 75% of employees say that they have access to data they shouldn’t, and 25% of employees would be willing to sell company data to a competitor for less than $8,000.

With insider threat posing such a significant risk, it is clear that reviewing access rights is crucial for a company’s security, but not only is the typical process tedious and time-consuming, it’s also largely ineffective.

Firstly, the manager is faced with a complicated spreadsheet full of data about access rights for their staff. The names are opaque, the process lacks context, and this makes it difficult for the manager to understand what to do. And if there is anything that seems unusual, there has typically been no way to simply question the access without taking it away completely.

12% of all entitlements that are taken away in a review are re-requested soon afterwards – something that can make managers question whether the exercise is an efficient use of their time. Furthermore, when it costs a company an average of $18 per transaction faccess, this can quickly become not only a time consuming and dull task, but also very expensive.

Here at idax, we have created a solution that provides relevant information to the manager for people with risks they need to address. Idax instantly analyses access rights, highlighting which employees have unusual rights compared to their peers. These are the employees that are in the position to cause the most damage to the business – whether maliciously or accidentally. Critically, our solution gives managers the option to take charge of the process, and question access rights, potentially avoiding the risk of cyber breaches.

By improving the user interface and user experience, we have made managers more likely to engage proactively with the process. Idax Version 3 encourages managers to take an active role in the security of the company’s data. This is why idax prioritises an engaging user interface (UI) in the version 3 update. With an intuitive, state-of-the-art UI, idax motivates managers to really engage with the software, empowering their journey towards a more secure and wholly trusted environment.

Idax Software Announces Strategic Partnership With EA Optimised

Idax, the IAM analytics software company, has today announced a strategic partnership with leading cloud security consulting firm, EA Optimised. The partnership is a key part of idax’s channel strategy, partnering with leading security innovation consultancies to deliver outstanding client solutions for the emerging cloud analytics space.

Idax’s partnership with EA Optimised comes after it launched Version 3 (V3) of its identity analytics platform earlier in the year. V3 of idax puts user experience first, giving staff the information they need to make the right decisions.

Specialising in Cloud Migration and Identity and Access Management (IAM), EA Optimised will offer idax’s IAM analytics platform to its client base, which includes organisations such as HSBC, One Family Mutual, The Home Office and Welsh Government.

Mark Rodbert, CEO of Idax, commented: “There is a great synergy with EA Optimised, as they manages entitlements in the cloud, on virtual machines and in containers across different platforms. As such, this partnership fits perfectly with our strategic direction to provide analytic security capability for enterprises. We are all really excited about working with EA Optimised to use our combined expertise for our clients.“

Iain Cox, CEO of EA Optimised, commented: “We see real client benefits in idax’s ground-breaking IAM analytics platform. It fits perfectly in our roster of partnerships, alongside Ping and Forgerock, and gives us complete client solutions for the cloud.“

In this time of ever-growing cyber threats, most organisations focus their defence on implementing solutions to prevent people from getting in – but what about the people who are already in? There is a significant, and largely underestimated, threat, which lies a lot closer to home. A staggering sixty six percent of organisations consider malicious insider attacks or accidental breaches more likely than external attacks. Whether they are the result of bad actors, collusion or unwitting accomplices, most breaches are simply about access and opportunity.

Idax’s platform analyses access rights, highlighting which employees have unusual rights compared to their peers. The technology gives results within minutes, without any prior knowledge about the workings of your business. The solution provides a modern, intuitive user interface to make the results simple and easy for line managers to understand and action.

– ENDS-

Issued by Jargon PR on behalf of idax Software. For more information, contact Ben Davies at idax@jargonpr.com or 01189 739 370.

About idax Software

Using identity analytics, idax is the world’s leading company in automatically analysing the access rights for an organisation, quantifying the risk and determining who has excessive access requiring adjustment. Protecting digital information is critical for modern companies. Most cyber fraud is committed by employees. As technology becomes more complex, knowing whether or not someone should have access to systems is beyond the capability and knowledge of managers and traditional systems. What is required is a new approach. Using proprietary algorithms, idax enables organisations to manage access changes in real-time, making it possible to dynamically enforce the principle of ’least privilege’.

For more information, visit https://idaxsoftware.com/

Why the UI is such a critical part of any security product

There are countless reasons why a cyber breach might take place and break through a company’s existing defences. A weak firewall, poor passwords, and phishing scams are usually pinned as the reason. However, there is one area that is equally as critical and yet often overlooked: insider threat.

Insider threat is now looking worse than ever before, with an estimated 90% of tech crimes being committed by employees. Most data breaches are simply about access and opportunity. 75% of employees say that they have access to data they shouldn’t, and 25% of employees are willing to sell data to a competitor for less than $8,000.

So it is clear that a strong solution is needed and that we need it now. A large-scale culture shift may be the only way to truly combat insider threats. Everyone in the organisation needs to be made to feel that cyber security is their own responsibility – from the CEO to the worker on the shop floor. But without the right tools and information, there’s no clear path for companies to choose.

Implementing a solution to analyse the employees that are most likely to become threats in terms of access rights is a step in the right direction. For example, idax looks at what your staff have access to and tells you which of those access rights are unusual compared to the rest of the organisation and their peers.

However, you can throw all the analytics as you want at a solution like this, but if people aren’t engaging and using the results to make good, informed decisions, there’s really no point at all.

This is one of the reasons why the user experience (UX) and the user interface (UI) are one of the most important factors to consider when encouraging people to engage with the solution. A strong UI is not there just to look nice and be aesthetically pleasing. The UI of your identity analytics platform is a critical component for getting people engaged with security.

Traditionally, anything security-related has been taken care of by a specialist team – whether that is an IT team or a security team. In theses cases, it doesn’t matter what the UI looks like, or if anyone else other than the security team could understand and use it, as they would be the only people within the whole organisation engaging with it.

More and more organisations now are moving away from having just the security team deal with all things security, and are instead putting line managers in charge of access rights. This often involves the line manager having to deal with a highly complicated, confusing spreadsheet of access details, with no context or explanation about what in the list refers to what data, and what files are required for a role.

Idax looks at battling just this with the launch of our new version 3 update. By prioritising the user experience with an intuitive, state-of-the-art UI, we are encouraging companies to put the user experience at the forefront of cyber security and start their journey towards a safer and wholey trusted environment.

Ultimately, organisations will move towards a fundamentally different culture of security. Each and every employee will be given the responsibility of self-certifying their own access rights, using an engaging UI that everyone can use.

In the long run, idax is helping companies become part of the security revolution that will soon be upon us. Getting everyone in a company to self-certificate their own access rights – with oversight and ultimate approval from line managers – will ultimately eliminate any internal threat whatsoever. However, this will take time. Creating a UI that line managers already intuitively know how to use, just from the way it looks, is the first step in kick-starting the culture change towards internal security.