Lessons Learned from Access Governance Failures in the News

Lessons Learned from Access Governance Failures in the News

If you know where to look, access governance news is everywhere. With the right perspective, you can learn from these events and improve your organization’s defenses. If you neglect these steps, you’ll be left behind by your more focused competitors who take every effort to improve security. Don’t let that happen to you; study these access governance news events for the lessons they have to offer.

Capital One Corporation: Major Data Breach in 2019

In the summer of 2019, Capital One, a major financial services company, had one of the largest data breaches of the year. Millions of records from American and Canadian credit card applicants were accessed without authorization by a former employee of Amazon. This individual, subsequently arrested by the FBI, managed to download data with Social Security numbers, birth dates, and other sensitive data in large volumes. As a result of the incident, Capital One’s stock price dropped significantly, and the company is going to have to work hard to repair its reputation.

From an access governance perspective, we can learn a few things from this situation. First, your access governance risk isn’t limited to your company. If you use cloud service providers or Software as a Service providers, your data may be vulnerable. Fortunately, you can significantly reduce the risk of disclosure by regularly reviewing and testing the access controls and encryption practices at these companies. If your contracts with these providers have audit rights, make it a priority to carry out  IT security audits regularly.

UK Report Highlights Insider Threat as a Key Cause of Data Breaches in 2019

The more people who have access to sensitive data, the more risk your organization takes on. Some of this risk is unavoidable: customer service and sales need access to customer records to do their work. However, that access needs to be monitored and limited to prevent disclosure. Unfortunately, recent data reported by the UK Information Commissioner’s Office suggests that human error remains a significant problem in data breaches. According to Forbes: “Those figures suggest that 60% of the 4,856 personal data breaches reported to the ICO in the first half of 2019 were the result of human error.”

There’s a way to reduce the impact of human error when it comes to sensitive data at your organization. You need to use the principle of least privilege. Instead of granting access rights to all employees, access should be limited as much as possible. For example, consider the financial management department. The financial analysts may be given access to financial reports for analysis. However, access to highly sensitive financial data such as salaries for individual employees should be further limited to finance or human resources managers.

To monitor access privileges effectively, you need to implement an identity and access management software solution.

MoviePass: Tens of Thousands of Customer Accounts Exposed

Large financial service companies have the resources to respond to extensive IT security breaches. Small or struggling companies will face much greater pressure or possibly a threat to their existence. Take the example of MoviePass, a subscription service for movie tickets. According to Variety: “Tens of thousands of customer records were left exposed on the internet, including MoviePass card numbers and personal credit card data, because a critical server was not protected with a password.” Failing to identify all your sensitive customer data, such as credit card data, and protect it is a problem that can cause a small company to fail.

The MoviePass security breach reminds us of a critical principle in security. You must be comprehensive to be effective. Protecting 99 out of 100 servers isn’t going to cut it. Since it’s now easy to scale up digital infrastructure, manually tracking and administering these assets isn’t going to work either. Instead, you need to leverage a comprehensive solution such as Compliance Auditor. When you put this solution in place, you’ll be able to track every user and access privileges across the enterprise.

British Airways Faces Record Fine Following Cybersecurity Failure

For years, cybersecurity professionals have prepared for a scary prospect: hefty fines for cybersecurity failures. In 2019, governments around the world are starting to apply penalties to companies that fail to protect data. As a result of a data breach, British Airways was fined over $100 million for a 2018 security failure. Specifically, a hacking group managed to obtain credit card information, login details, and other personal information.

As a result, British Airways now faces a significant financial loss due to an official fine. That’s only part of the damage. The company would also suffer indirect losses in the form of reputational damage, as previously loyal passengers may decide to book travel with other airlines. Further, the company will also incur short-term and long-term expenses to respond to the media and assist customers.

The British Airways experience has an important lesson for access governance and IT security. Previously, you might have developed your business case based upon productivity gains from automating security steps. However, you should also consider the benefits of avoiding large fines and reputational damage, especially if your company operates in Europe. Think of it this way: spending an extra $500,000 this year could help you to avoid a $100 million+ fine and reputational damage in the future.

What These Access Governance News Events Mean for Your Organization
Reading access governance news can quickly become a full-time job since the number of breaches is steadily increasing. On the other hand, passively consuming information about data breaches and other security failures won’t keep your organization safe. You need to take proactive steps! As a next step, we recommend making IT security easier for all employees. Get started by using our guide: 5 Steps to Make Cybersecurity Easy for Your Managers.

Written by Nelson Cicchitto