Even Non-Malicious Data Breaches Can Have Devastating Consequences
While searching for a file on the network that Linda needed to update for HR, she came across a document of more than 200 employees to be laid off from the company in the coming days. Linda hadn’t been looking for this information, and she had no idea how she had access to it. Linda hasn’t spoken to anyone about what she learned as a result of this data breach…yet.
We tend to think of internal data breaches more as someone inside the company firewall with a sinister objective to gain access to confidential information. But there are countless stories of “Lindas” who somehow manage to be given access to information that they shouldn’t have.
When organizations take measures to protect their data from unauthorized access, they tend to focus more on privacy information. This might include classified information pertaining to a patient, customer, employee, etc. Afterall, there are numerous regulations specifying how private data can be stored, accessed, and managed, with sizeable fines for noncompliance.
Personal identifiable information (PII) is generally stored as records in an application database. A patient’s medical information, for example, is structured across cells in a medical application’s database table – hence the term “structured data.”
But sensitive information also includes an organization’s confidential or competitive proprietary data. For example, not-yet-released quarterly sales results, future marketing plans, legal documents, and yes, specifics on casualties of an upcoming corporate reduction in force.
These word processing files, spreadsheets, presentations, media files, etc. cannot be structured in a database and are stored in folders in an on-prem network file system or document libraries in the cloud. This type of data is known as “unstructured data,” and it comprises about 80 percent of an organization’s total stored data.
Protecting structured data from unauthorized access is largely managed through an automated process such as an identity and access management system (IAM) that provisions and restricts access based on user identity and role. Conversely, securing unstructured data is done through individual folder and file permissions.
It’s these individual permissions assignments that can be so challenging to manage. Sure, a network administrator can check which groups and associated members can access a particular folder by viewing the individual folder’s properties. But with potentially thousands of folders, subfolders, document libraries, and sharing links storing files with confidential, sensitive, and high-value data, reviewing these permissions on an individual folder basis is impractical.
That’s where Galileo from Condrey Corporation comes in. Among its extensive reporting and analytics capabilities, Galileo can identify all users who can access individual files and folders located in Microsoft storage infrastructures – whether on-prem or in the cloud –and how that access is derived. And it can do so in a single, easy-to-understand report. So you have the information you need to make necessary changes to access permissions.
This capability has been incredibly useful to customers needing to perform regular vulnerability assessments on all of their confidential, sensitive, and high-value unstructured data and protect themselves from everything from inappropriate insider knowledge to insider misconduct.
With the potential for loss of data, competitive advantages, customers, employees, and reputation, as well as the possibility of fines and lawsuits, organizations cannot risk the possibility of an internal data breach – especially when the risks are so easy to identify with Galileo.
Are you ready to take the first step in reducing your risks for internal data breaches by determining your vulnerabilities? Start by requesting a non-obligation product demo by filling out this form. We look forward to hearing from you.