This blog is based on an article that Mark wrote for SC Magazine. Read the original piece here.

The conversation around security often focuses on hackers getting in. We talk about phishing scams being on the rise, using topical issues such as COVID-19 to trick users into clicking fraudulent links, and other innovative tactics attackers use to access networks.

However, what happens when an attacker gets into your network? Too many employees can access data that they shouldn’t be able to, and this puts companies at huge risk, allowing attackers to access sensitive information.

Moreover, an estimated 90 percent of tech crimes are committed by employees, and most data breaches are simply about access and opportunity. 75 percent of employees say that they have access to data they shouldn’t, and 25 percent of employees would be willing to sell company data to a competitor for less than £6,000.

These stats are concerning. Whether malicious or not, insider threat is a huge problem in business that needs addressing. To a certain extent, entitlement reviews serve the purpose of lessening that threat. If access to sensitive information and data is only given to those who require it, the chances of that data leaking out of the company lower significantly.

Despite this, entitlement reviews are a dreaded task for many managers. Typically completed manually, they can be time-consuming, thankless, and often prone to errors, with little demonstrable benefit. As a result, managers and businesses frequently question the necessity of entitlement reviews.

They can be viewed as a waste of valuable time, and even outsourcing the task can quickly become very expensive and slow when completed manually. After all, not every company will suffer the misfortune of being hacked. Realistically, the chances are low, but if and when data is leaked, there are major consequences and heavy prices to pay.

The wrong question

A lack of regular entitlement reviews, performed properly, will put businesses at a much higher risk of a wide range of potential problems, not to mention risking non-compliance with regulation. For example, former employees could potentially gain remote access to the company network and email system, the system could be compromised through the use of vendor passwords that never expire, there could be a misuse of dormant administrative accounts that are still active, or employees that move departments might keep their old privileges. Quite simply, if you perform entitlement reviews regularly, you’re more protected from these risks than if not.

Maybe we are asking the wrong question when we wonder whether we still need entitlement reviews. At the end of the day, they clearly play an important role in protecting sensitive information. However, manually performing the task is often at the bottom of every manager’s list.

Instead of asking whether we even need them any more, we should be thinking about how we can make them easier and more effective.

How can we make the process quicker and easier?

Managers shouldn’t have to trawl through countless files to help protect their business from insider threat, sifting through spreadsheets figuring out who wrongly has access to what data.

Any company that needs cyber-security (arguably every company on the planet, considering how digitally reliant we are today) needs entitlement reviews in some form. That’s a lot of potential man hours.

But businesses no longer need managers to spend countless hours reviewing each individual’s access to data, it’s all available through technology. Idax’s solution instantly analyses access rights across your organisation and provides insights into which employees have unusual rights compared to their peers – effectively performing the entitlement review for you, within minutes.

Our solution puts the user experience first, a significant change from hours of pouring over spreadsheets, reviewing every access right your employees have. Our intuitive user interface makes it easy and convenient to engage with the process, ultimately making the results more reliable.

There really is no excuse for companies to be avoiding entitlement reviews, potentially exposing themselves to massive consequences as a result. We do still need entitlement reviews, but they’re much easier to complete today than ever before.