Data Protection from the Inside Out
Cybersecurity challenges and data breaches continue to grow and impact all industries. And 2019 showed a huge increase in the number of firms and customers that had their private information exposed and compromised. Risk management, therefore, has become a required core competency of every IT department. Managing internal users and the risks they bring to an accounting firm or corporate finance department is where least privilege and zero trust should come into play.
The Principle of Least Privilege (POLP)
It’s a change in thinking processes. Instead of trusting people and verifying what they do, this kind of risk management moves toward a never-trust-and-always-verify approach. POLP focuses on making sure every employee has access to the data and information they need to do their job — and no more! It may seem Orwellian, but there are significant reasons why now’s the perfect time to implement this.
Understanding the Risks
We’re talking about insider threats. With new accountant turnover at the highest rates in recent history, more and more junior people are entering and leaving firms and companies. Each one of these individuals brings an added risk to the organization and the exposure of customers’ data. This exposure can be accidental or deliberate, but it’s time to reduce this risk to a manageable level.
Organizations typically have large groups of employees that have access to large volumes of data. This may include significant scope in the ability to see customer information, work on previous years’ projects and have access to information that they would never use. This provides dramatic risk to the organization and limits the ability to understand what happened when data is exposed.
Junior staff members typically have access to information beyond their needs. This access allows movement of that information outside the company, including downloading to laptops or copying to Dropbox or Google drive, resulting in accidental exposure. Additionally, when a breach happens, the scope of that breach depends on what that specific user has access to. By using the POLP approach, the scope of that breach risk is dramatically reduced.
What’s the answer? First, within the applications accountants use for tax, audit and other services, restricting user access to only the customers they’re working on can help. This reduces the risk dramatically and appropriately limits exposure to what that employee has access to. And this isn’t just for junior accountants, this is for everyone in the company.
Second, it’s wise to reduce the amount of data the person has access to. This includes files and folders, the volume of previous years’ data, and other shared information within the company. Employees should have access to what they need but not anything extra.
Lastly, from a technical support standpoint, system administrators should live within these boundaries as well. Each system administrator should have a normal account that they use on a day-to-day basis. They then have a second administrative account, with escalated privileges to see everything they need to, and do the work they need to do. This second account is audited and monitored so that any and all changes beyond the scope of their normal work gets recorded and can be reviewed later. This significantly limits the casual exposure of data and any nefarious activities.
Using this process solidifies one’s commitment to risk management within an organization. It’s best to understand and address risks, while creating an environment that protects both the customers’ data and the organization’s. This can be achieved with the POLP approach.
Netgain's IT Cloud is an NJCPA member benefit provider that offers optimized application hosting within a robust IT environment. Learn more at njcpa.org/benefits.
Bill Sorenson is the vice president of strategy of FinTech-CISO at Netgain. He can be reached at firstname.lastname@example.org.
This article appeared in the March/April 2020 issue of New Jersey CPA magazine. Read the full issue.