This week’s article, which is part of our new weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” will reflect on why it is important for companies to control access to data sensibly.
Our weekly blog series is a spinoff of the new “Stick with Security: Insights into FTC Investigations”. This new weekly blog article series provides a recap of the FTC’s new weekly blog insights on data security and how these measures can help companies demonstrate cyber insurance compliance. For companies looking to obtain cyber insurance, it is essential to be able to effectively demonstrate that they have implemented baseline security measures.
Once your company has conducted an information census to identify and locate the confidential data in your company’s possession and has then determined what you need to hold on to for business purposes, what’s the next step? According to the FTC, it’s time to put limits in place to control access to data sensibly.
Restrict Access to Sensitive Data
Most of us would probably not allow our in-laws, or everyone we know for that matter, personal keys to our homes as this would enable them to enter our homes and stroll around whenever they wanted to, with or without you being there. Now, let’s relate that to who has access to your company’s data. Not everyone on your staff needs unrestricted access to all confidential information you keep. The better practice is to put sensible controls in place to allow access to employees who need it to do their jobs, while keeping others out. The FTC states, it’s also wise to grant administrative access – the technical ability to make system-wide changes to your network or certain changes to desktop computers (for example, installing new software) – only to a limited number of trusted employees.
Plain and simple, if employees don’t have to use personal information as part of their job, there’s no need for them to have access to it.
FTC Provided Example: Employees of a small company share one workstation. The staff member in charge of payroll has password-protected access to a database of employee information. The staff member in charge of shipping has password-protected access to a database of customer accounts. By limiting access based on a business need, the company has reduced the risk of unauthorized use.
Limit Administrative Access
According to the FTC, it’s essential that someone on your staff such as a system administrator, has the authority to make necessary modifications, just not everyone. If a bank only gives the combination to the central vault to a few people, companies should limit admin rights accordingly.
As it relates to cyber insurance, if all of your employees have access to your company’s sensitive information, this nonetheless, increases your company’s risk of an inevitable data breach. Therefore, it’s important to put controls in place to make sure employees have access only on a “need to know” basis, and limit administrative access, to ideally 1-2 people.
Previous Article: Cyber Insurance Compliance Insights: Control access to data sensibly
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.