Published on the 02/02/2016 | Written by Beverley Head
Enterprises need to rethink blanket rules regarding access to corporate information systems, and instead take more of a “patchwork quilt” approach according to a former FBI agent…
The era of free for all access and bring your own device may be drawing to an end according to security specialists at Deloitte.
Mary Galligan, a director at Deloitte and Touche, and former FBI cyber special agent, said that although chief financial officers loved the notion of BYOD because it relieved them of having to buy end user devices, it had not been a good idea from a security standpoint. Visiting Sydney this week, Galligan said that forward-thinking organisations were now taking a patchwork quilt approach to systems access rather than a blanket, one size fits all approach.
In some cases that means removing some of the flexible working rights that some employees have enjoyed, in order to ensure improved organisational security. Galligan said that she was even aware of a US car maker working on a model for 2018 release that only allowed designers access to a system once they swiped their building access card to ensure that they were in the building when using the company computers.
She said that smart businesses were making ‘risk and role’ key determinants in deciding how computer systems could be accessed, and from where. Similarly she said that organisations involved in mergers and acquisitions were now less inclined to automatically link existing networks and data repositories together – but were, at least for a time – keeping operations separate while they determined who in the organisation needed access to which data.
CIOs were also installing controls on who could click on hyperlinks in documents or emails in order to reduce the risk of spearphishing or ransomware style attacks. Galligan said that this granular approach also extended to plotting the timetable for whose machine received security patches first, with priority given to people in riskier roles – such as the finance teams.
Galligan said that in many ways enterprises were taking a leaf out of the approach taken by US Government intelligence agencies. She said that the FBI for example forbade access to social media sites, quipping that “the FBI defends democracy, it doesn’t practice it.”
That access management control might seem draconian, but it limited the damage that could be wreaked on an organisation and Galligan expected it to become an increasing trend through 2016.
James Nunn Price, cyber risk leader for Deloitte in Asia Pacific, added that this more buttoned down approach should help control cyber security problems, but also help address traditional insider frauds by limiting and tightly controlling access rights.
