Regarding UKFast’s claims regarding potentially serious public sector data leaks which the hosting provider discovered when using Google’s search engine, the unintended data breaches are almost certainly the result of too many people having the ability to access personal information.
Most organisations fall into the trap of giving their staff virtually complete access to the firm’s information – including company and customer confidential data – and so creating their very own data vulnerability.
One approach in avoiding this is to adopt a least risk strategy that involves only giving Windows-based desktop and server users the privileges they require to perform their roles – without compromising the integrity and security of personal plus company-confidential information.
In taking this approach, the organisation is adopting the principle of least privilege, whereby users logon with minimal rights – and applications are assigned the necessary privileges to enable users to perform the task in hand – all under the control of policies that are defined by the IT department.
A failure to adopt this strategy means that staff – all the way from senior managers down to the office junior – have access to far too much personal information.
And, expecting the office junior to have the same level of awareness about business data security as a senior manager is asking for trouble, especially when staff can be allowed to continue to perform their duties just as effectively, but with a far lower inherent risk to personal data.
Most security experts already know that the public sector generates vast quantities of data. This means that allowing too many people access to that data – especially personal data – can translate into a data breach, as UKFast’s findings clearly show.
The solution is to control who has access to the personal and company-confidential data – but in such a way that access is carefully controlled and limited to only that data which the employee (or manager) needs in order to perform their day-to-day duties.
Put simply, this means that organisations need to adopt a least privilege stance, which in turn leads to the twin additional advantages of least cost and least risk.
The fact that this investigation gave UKFast’s researchers access to partial and even complete databases shows what happens when data leaks out from an organisation. A least privilege approach would have helped to stop this type of information from leaking, as it clearly has done.