The director of IT security at a national accounting firm has warned CIOs about the increasing level of administration access regular employees are gaining, calling it a “trust time bomb”.
RSM Bird Cameron’s IT security director, Jo Stewart-Rattray, said privilege policy management is a “hot button issue”, as a recent meeting of 16 CIOs highlighted.
“Many thought they were alone in dealing with this problem because it appeared to have an easy fix,” Stewart-Rattray said.
“The challenge is that addressing the user privilege vulnerability creates conflict between an organisation’s security and its culture. User privilege is often associated with trust. However, trust alone is not a control. Without adequate controls, this is a trust time bomb just waiting to explode.”
Stewart-Rattray said the culture of excessive user privileges on computer networks had developed over many years and people are accumulating extraordinary amounts of access that is not needed to do their job.
“One example was an employee who built up a remarkable level of computer network access during years at an organisation,” she said. “When a new employee joined the business, the manager said to copy the network privileges held by the long-serving employee, which is a ridiculous risk.”
Stewart-Rattray is the co-chair of an international taskforce charged with developing strategies to build intentional cultures of security within organisations.
“Cradle-to-grave user management has gone by the wayside,” she said. “CIOs are starting to recognise that there is a dire need for a life cycle management of users, but they are unsure of where to start.”
“One CIO said the challenge is to balance trust with an intentional culture of security. In some respects, because trust has existed historically, we are talking about an intentional change of culture, which is harder. In the beginning, security is intentional and over a period of time, it becomes automatic.”
Stewart-Rattray said privileged user management is a hot topic and a central tenet of this approach is the principle of least privilege.
“Rather than making every user a network administrator, [least privilege] gives each user just the network access required to perform his or her job,” she said. “Even system administrators should maintain a distinction between their privileged account and their day-to-day account.”