Identifying all users and the actions they are authorized to perform are among the most basic pillars of network security. But in an era in which business executives remain unaware of the powers being exploited by IT administrators, and those IT administrators lack adequate insight into the habits of tech-savvy employees, comprehensive data protection has become a more elusive goal.
Who watches the watchmen?
With cloud computing, social media, mobile devices and several other significant technology trends simultaneously converging in the enterprise, even seasoned network managers are having trouble making sense of it all. As a result, business executives can be forgiven for deferring to the IT department in certain scenarios and entrusting these teams with high-level tasks. Unfortunately, management may be giving IT staffers more rope than they realize.
In a recent survey of 450 IT professionals conducted by Lieberman Software, nearly 40 percent of respondents indicated that they could gain unauthorized access to their company's most sensitive information – including the private documents of C-level executives. What's more, one in five respondents admitted to already accessing something they should not have while another 11 percent would do so if they wanted to find out if their job were at risk.
But perhaps most concerning of all, one-third of IT administrators were confident that company executives would not even be able to stop them if they found out what was going on.
"Many organizations rely on their IT departments to keep them safe, but all too often the reality is that powerful, privileged account credentials are being abused," explained Lieberman Software president and CEO Phillip Lieberman. "Management must step up to the plate and take charge by establishing systems and procedures to lock down data from prying eyes or their secrets will continue to be stolen from under their noses."
The first step toward progress, according to Lieberman analysts, is the identification and documentation of critical IT assets, their interdependencies and who has access at each level. Managers must also subscribe to the rule of least privilege to ensure technology teams only have the ability to access resources that are essential to the execution of their specific job functions.
Shining a light on shadow IT
While tempering the power of IT administrators is important for guarding mission-critical assets, recognizing and addressing the emergence of tech-savvy employees, or so-called shadow IT, is no less important.
Just a few years ago, IT teams had authoritarian control over business technology decisions and actions. They had superior knowledge and access to the latest and greatest utilities, and common employees patiently awaited their decisions. That model has now been turned on its head within a number of offices, largely due to the rise of Generation Y in the workforce.
Not only do these digital natives have a more mature understanding of technology than their counterparts from years past, they're more resourceful when it comes to getting their hands on what they want. As a result, there is a far greater chance that staffers will work around IT policies to acquire and use the devices and programs they prefer.
According to the latest study from Avecto, approximately three quarters of IT professionals are "in the dark" when it comes to monitoring and regulating the applications downloaded and utilized on corporate networks. The vast majority of survey respondents pointed to male employees between the ages of 20 and 35 as the most likely workforce segment to demand or usurp elevated network privileges.
As companies continue to walk the fine line between empowering employees and increasing data security risks, easy answers will be few and far between. But gaining an accurate perspective of the network rights of all users and having an honest discussion of what they want and need will be the logical first step.
Security News from SimplySecurity.com by Trend Micro
