By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
In 2013, a network engineer at CitiBank came to realize he was about to get fired and decided to attack his employer before they fired him. He reset the configurations on nine routers which controlled the flow of data across their North American network. In doing so, he brought down 90% of the network for nearly an entire day, costing them millions of dollars.
Large organizations with complex systems regularly implement process intensive access control procedures to grant employee access to systems and recertify the need for access to those systems on a periodic basis. For many small and mid-size organizations, this is probably excessive.
However, even small to mid-size businesses (SMBs is the actual word used in the WP) can easily find themselves struggling to keep track of who has access to what systems.
Suppose you have 10 employees, and each employee, on average, accesses five different systems. For some systems, all users have access, and for others, some users have access. Additionally, for some of the systems, user permissions vary by user. And other systems have a single set of permissions for all users. Some folders on your network are shared with everyone, and other folders are shared with only certain individuals. With just 10 employees, you could easily find yourself having to remember well over a hundred IT access data points. You don’t need the additional mental overhead from remembering everyone’s access rights on top of everything else you need to do to operate a successful business.
Actionable Steps
- In policy, assign responsibility for performing a periodic inventory of sensitive data, where it is stored, and who has access to it, including backups.
- Based on the criticality of the data and current protections, determine effective and efficient means of protecting it.
At the very minimum, organizations should maintain an updated list of the IT access profile for each employee. Although not the size of Citibank, SMBs risk “bad leavers” as well. They may purposefully delete files, steal sensitive data to bring to their new employer who may be a competitor, and more. It is therefore important to have a reliable inventory of the systems your employees have access to and solid exit procedures to ensure user access is deactivated timely
The content in this article covers just one aspect that small to mid-size businesses need to address for Cybersecurity. Download the entire whitepaper below to access additional Cybersecurity suggestions.
Want to keep your business safe from cyberattacks? Contact us. Our Cybersecurity team can provide you with critical insight into your company’s cybersecurity footprint.
Additional Resources
About the Author
Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.
More Insights from Christopher MoschellaThe information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.
