Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy United States IT Technology

Almost Half of Employees Have Access To More Data Than They Need (betanews.com) 53

A new study of over 700 full-time US employees reveals that that 48 percent of employees have access to more company data than they need to perform their jobs, while 12 percent of employees say they have access to all company data. From a report: The survey by business app marketplace GetApp also asked employees what classifications of data protection are in place at their company. No more than a third of businesses were found to use any one individual data classification. The lowest in use are Proprietary (15 percent) and Highly Confidential (18 percent). The most commonly used are Confidential -- 33 percent of businesses use this classification, Internal -- 30 percent, Public -- 29 percent and Restricted/Sensitive -- 25 percent.
This discussion has been archived. No new comments can be posted.

Almost Half of Employees Have Access To More Data Than They Need

Comments Filter:
  • ... actually have access to all the company data but just don't know it.

  • Incomplete picture (Score:3, Interesting)

    by davidwr ( 791652 ) on Monday August 12, 2019 @04:45PM (#59080536) Homepage Journal

    People may have access to data they don't need to see for many legitimate reasons.

    Here's a common one:

    The employee may belong to a work-group where they may need to back-fill a sick co-worker, and their jobs are so similar that it's safe to give them both access to the same set of data. For example, I may be in charge of helping customers whose last names start with A-M and my co-worker those whose names start with N-Z. But if I'm covering for her, suddenly the "needs of my job" change. Is my manager going to call IT just so I can back-fill for one day? No, he's going to give us both access to all customers' data.

    I'm sure people can think of other reasons.

    Rather than ask "how many people have access to data they don't really need" ask "which employees have access to what data, how does that benefit the company, what are the risks involved, and what accountability is there such as training, logging, and the like in case data winds up outside the company or work-group when it shouldn't."

    • Rather than ask "how many people have access to data they don't really need" ask "which employees have access to what data, how does that benefit the company, what are the risks involved, and what accountability is there such as training, logging, and the like in case data winds up outside the company or work-group when it shouldn't."

      I'm pretty sure that gets taught as part of generic database management and installation, at least it's in textbooks. But what seems more worrisome is that 12% that can see all data. What company would need 1 in every 8 employees to have access to everything?

      • by Wulf2k ( 4703573 )

        Is this self-reported?

        I'd be surprised if 12% of employees understood a business's infrastructure well enough to identify "everything" as distinct from "everything they see".

      • by jbengt ( 874751 )

        What company would need 1 in every 8 employees to have access to everything?

        The company I work at currently. We have 9 full time employees and a contractor to do IT. The owner and her husband definitely both have full access to everything, and the engineering manager does too. I'm sure the contracted IT guy could see anything he wanted to, also.
        The one person who should not have full access is the owner. She frequently clicks on malicious links and a couple of times has needed her computer rescued.

    • People may have access to data they don't need to see for many legitimate reasons.

      I'd argue that one of the reasons could well be that it's just too much work most of the time.

      Now, as we've seen with ransomware, nobody should have access to everything, but at an extreme example we could have access controls active at the file level, and at the row level in databases. But we'd get nothing done, on average, so much work would happen granting and revoking permission.

      So you see some deals where, such as in the medical field, where you have access to darn near anything - but access is logged

      • by tlhIngan ( 30335 )

        I'd argue that one of the reasons could well be that it's just too much work most of the time.

        Now, as we've seen with ransomware, nobody should have access to everything, but at an extreme example we could have access controls active at the file level, and at the row level in databases. But we'd get nothing done, on average, so much work would happen granting and revoking permission.

        So you see some deals where, such as in the medical field, where you have access to darn near anything - but access is logged

    • I am a report and analysis developer using BI solutions to provide them. I definitely have access to tons of data I don't need to see, because I am not using any of that data in a business sense. Also, there are data sources I used once or twice to generate business analyses, then never needed to work with again, but the access was kept in case it's needed again. There was an attempt a few years ago to provide us (report developers) with garbage data samples but that didn't work because of a variety of good

  • I'm surprised at the figure of 12% for 'all company data'. Sure, there's boring stuff like whatever we told the customers was protected by a strong commitment to privacy and security, no real reason to bother compartmentalizing that; but the rightsizing plans for next quarter? Or salary data that could easily make the human resources start feeling underpaid and whiny? That's serious business.
  • Who cares? (Score:4, Interesting)

    by DogDude ( 805747 ) on Monday August 12, 2019 @04:55PM (#59080586)
    Literally every data breach, no matter how massive, is met with a shrug from the public and from law enforcement and from legislators. Nobody cares. (Technically, I care, but I know of nobody in real life who gives a shit about their "data").
    • Comment removed based on user account deletion
    • old software / not paying for updates / no fail over (so you can't get downtime to update)

      • Sending emails in plain text. Storing SSH keys on shared drives or vaults with access to inappropriate personnel. Leaving obsolete logins in place. Improperly secured backups, including backup tapes, disk images in the cloud, and credentials stored in source control. Using HTTP or FTP for _anything_.

        The list of vulnerabilities goes on and on in many environments.

        • by nnull ( 1148259 )

          And the funny thing is, this data is how I grew my business because of how completely lack luster security is at many businesses, including my competitors. Once I found out the numbers, the rest was easy, especially when I find out companies are making huge HUGE margins while they run ancient machines with illegal aliens as operators.

    • by AmiMoJo ( 196126 )

      Make the fines huge and have them distributed to the victims. When people start getting notifications and cheques they will care. They will demand the highest standards and a strong regulator to oversee them.

      • It's a chicken and egg problem. You won't generate the political will to impose those huge fines until people care. But people won't care until they start getting those checks.

        • by AmiMoJo ( 196126 )

          Maybe some populist can get the crowd to chant "make them pay" for a change.

          • Won't catch on. The whole thing is too abstract, with no compelling storylines. You can't whip up crowd emotions with something liek this.

    • People care, but it falls under what can you really do. Copies of your personal data are nearly zero cost to transmit to computers all over the globe. And if you tried to hunt it all down and delete it, you'd end up like Julian Assange. Companies tell you they care about your data but we get inscrutable new 10 page updates to all the loopholes in that promise, no normal person could ever read and understand all of these. So when some large company loses my data - what is my recourse? Nothing, that's wh
  • by TJHook3r ( 4699685 ) on Monday August 12, 2019 @05:02PM (#59080614)
    In this heady new world of big data and data lakes, spare a thought for those employees who have to buy the DBA a cake to get read access to a critical database!
  • Almost everywhere I go there is more access than necessary for just about everyone. Employees are not security conscious no matter how many times your try to brow beat the idea of security into them. If you are not using and semi advanced technological mechanisms to keep access to data secure then you are probably already compromised multiple times and are just not aware of having been compromised.

    Conversely the 12% having access to all of the data is likely overblown, unless we are only talking about 12%

    • Don't forget that 90% of the data a company has is old data that's pretty uninteresting for anyone else except if the IRS does a review or you get a claim. There's also a pile of old projects that are saved on different systems that comes in handy when the customer comes back several years later due to a hardware or OS upgrade. But you don't know which customer so just let the stuff hang around on a project disk.

      Erasing old data is a sure way of getting a call frommthat customer a month later.

  • by Retired ICS ( 6159680 ) on Monday August 12, 2019 @05:12PM (#59080660)
    The survey is missing the qualification of "that they know about". So while 12% of employee's may claim to have access to all data, does not preclude the possibility (or highly likely situation) where they do not have access to that data which they do not know exists. In other words, 12% of employee's have access to all the data that they know about (and since they know about it, an argument can likely be made that they need that access), and do not have access to the data that they do not know about (and therefore are unlikely to need). Seems like a swimmingly designed access control policy to me.
  • by bobstreo ( 1320787 ) on Monday August 12, 2019 @05:13PM (#59080668)

    what number of contractors (on-site and off-shore) have access to more data than they need?

    People who may tend to be able to access more, think DBA's and SA's who need access to the system or the databases for routine work. Programmers need access to test and QA systems, but probably never to production systems with valid production data.

    The employees who tend to have way more access than they need would be people like administrative assistants, and managers, who can't be bothered to ask for access, they just need it, so they force someone to grant them access.

    That is of course assuming that data classification is actually being done...

    • This whole thing reminds me of when the shit hit the fan with Snowden. The big brass officials were all over the place denying it because this Snowden guy was just some lowly System Administrator and wouldn't have all that access. Anyone that knew anything about IT at that point knew the leaks were for real.

  • At my job I work with software which doesn't let me see full bank accounts.

    I work at a bank and I definitely need that. (I'm forced to look it up in a second system - which logically I shoud not have acces to.)

    • which logically I should not have access to.

      Why's that?

      • by Wulf2k ( 4703573 )

        Since he's denied access in the first system, it would only be logical if he were denied access in the second system.

      • by Livius ( 318358 )

        System one *has* the information I need, it simply won't show it because the UI designer didn't understand how things work in real life.

        System two has lots of information that I don't need, therefore having access is a bad thing.

  • I would like companies to remove access for employees when they switch departments. Sure, it's convenient if Joe can still log into a management console to fix a VM, he's got the knowledge and need.

    But Joe's not hip to what the rest of his old team is doing now. Maybe there's something additional he should be doing when fixing a VM.

    Honestly, I'd like a bucket for each employee. When an employee gains access to something, the person granting them access, tosses a note in that bucket on what access was grante

    • Seems to me that a company which takes Access Control seriously already does this ... and no "buckets" are required. I used to work for a company that did this (actually, I have never worked anywhere that did not). All access permissions were required to be audited (reviewed and re-approval recorded) by the Owner (of whatever the access covered) on a recurrent schedule determined by the risk associated with the permission. And all incumbents to an Owner role had to review and sign off on all existing acc

      • by nnull ( 1148259 )

        Because most places don't have competent people. Policies get implemented and doesn't change for the better, but gets worse over time. Then there is the nuisance crying, which ends up degrading this system even more, especially with companies who have a carousel of employees that come in and out, that the boss gets tired of paying an IT guy to help manage the system.

        I've been to places where the top executive logins and passwords were just their first name, so had access to completely everything, despite ac

  • If they have more access than they need to do their job, they may be a security risk, but they can get their job done.

    If they have less access than they need to do their job, the job doesn't get done or doesn't get done right.

    Which is more critical to a company's day-to-day survival and profitability? Which "error" costs the company more on the bottom line? Which can be "fixed" with insurance, rather than just breaking the company right now?

    If the employee isn't trustworthy with the data, why was he hired

    • The issue is that when you make it hard to request data people end up requesting/granting access on a "Just in case" basis instead of need to know. the answer is often to make the processes easier so that they actually get used properly rather than locking things down even further. Software analogy Windows Administrator accounts...
  • Comment removed based on user account deletion
  • To many add / services need to give full admin rights to people to only do a few things.

    Some apps don't have real service accounts (no needs linked an full user to do some tasks) (so they can be come shared or you need to give full admin to a few people so they can take over an account) as tieing to 1 live user is bad as well.

    ldap admins more or less then give them self admin rights to any app that is grouped controlled.

    Other you need to have an full admin that is local to the app to do some things like edi

  • by TWX ( 665546 ) on Monday August 12, 2019 @07:10PM (#59081050)

    At work many years back I tried to address this, specifically within the IT department itself. Everyone in the department had full write access to everything. I felt this was a mistake, and that key staff within each section of the department should have full write. Selected telecom infrastructure staff should be able to update maps and other cabling documentation, even if everyone is free to read. Print services staff should be able to add remove printer drivers, software/windows development staff should have the right to update most other drivers, etc, etc, etc.

    Boss at the time decided nope, full read/write for everyone. Helpdesk could edit cable plant files, cable infrastructure folks could delete device drivers. Thing is, once the permissions are set up badly no one wants to fix them because it means everyone's procedures now have to be revised. That idiot boss basically set the organization on a path that no one will be willing to deviate from.

  • by ghoul ( 157158 ) on Monday August 12, 2019 @07:44PM (#59081116)

    Since its highly unlikely in a complex and ever changing environment that you have access to exactly the data you need to do your job especially since the job is different everyday for knowledge workers by definition statistically speaking half will have too little access and half will have too much access.

    • by PPH ( 736903 ) on Monday August 12, 2019 @08:21PM (#59081184)

      Yeah. But what's the cost to the organization of not having data that you need versus having access to data that you don't?

      Some years ago, I was part of a team that built an engineering data control system. Only certain people had permission to create or modify the data. But anyone with permission to log on to the internal company network could read anything that they wanted. We did log read access, so anyone attempting industrial espionage could be traced. The system worked well.

      Then, management decided to replace our system with one that had a much finer access control. The result was that shop floor employees now had to chase down various domain access managers to obtain access that might not have been granted (in error) or became necessary due to some unusual configuration issues. (Wire bundle routed through an air conditioning duct. Let's bring up a drawing of both.) The shop floor pretty rapidly devolved into a shit-show. But management's answer was to hire a bunch of 'liaison engineers' who had greater access and could resolve problems. Productivity never recovered to that of the previous system. Manpower expense was higher and when problems arose, time was still wasted locating one of these engineers. When things were running smoothly, I suspect they spent their time surfing porn or shitposting on Slashdot.

      • by jbengt ( 874751 )
        The parent post should not be ignored. It is more important to enable workers than to restrict them, to a point.
        At my previous job, I often wrote proposals for projects with a client that I knew from another job. One of my bosses had gotten me permissions to access proposals because he knew I had a good relationship with that client. Then, someone decided that employees with my my job title didn't need access to proposals, and I lost access. Though they restored my access at first, they eventually woul
  • ... I remember my former security employer had a required online training about this. Basically, it said the contractors and employees must not look at stuff that they shouldn't be looking at if unrelated to them. Ha!

  • by PPH ( 736903 )

    I really didn't need to know that.

  • The concept of least privilege (https://www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege) determines the access level of users, not the classification of the data. For instance, credit ratings and account balances may both be classified as Restricted/Sensitive but a user's job may only require access to account balances, not credit ratings. Least privilege access grants the user permission to ONE set of data (account balances) that shares the same classification as another (credit ratings).
  • by brainchill ( 611679 ) on Monday August 12, 2019 @08:56PM (#59081266)
    I've been working for large, engineering heavy, IT companies for the last 20 years and most of them operate internally more like an academic institution than a for profit company. In nearly every role I've had almost entirely unfettered access to company product test builds, source code, etc, most lab and build servers/ vms across the company, etc have an internally known to everyone password ... most of us have full 24x7 access to pretty much every room in every building on campus with their badge .... (and I'm talking about companies with 10-20-50k employees not just a 10 person consulting firm) ..... the amount of access and trust that big IT companies give their employees is almost bonkers.
    • I am a data project manager with this access. With constant updates to applications that use my company's data, how would I reliably test anything if I couldn't see our business logic's effect on our real data? Test environments are generally too expensive to maintain as an EXACT replica of the system you're testing, so tests here are only "very likely" to yield meaningful results. So they have to trust me. I take that trust seriously and all my data access is logged, but still, "technically", I can see
  • It takes real effort to figure out what access each employee needs to do their job, and if insufficient access is provided, there is the expense of lost time while the employee is given the extra access that they need.

    Its a matter of cost vs risk tradeoff.

  • I worked for a place that was overly concerned with protecting it's IP, often IP that was of limited or no value. While companies may give too much access, too tightly controlling access creates much bigger problems. Trying to do your job when each tiny snippet of information requires several days to several weeks of effort and explanation with multiple levels of management is simply not productive.

    IMHO, the correct solution is to have reasonable restrictions on information which means that managers have

  • I work in operations and, being a public institution, we spend as little money as possible. Thus, we run lean. I had to let one of my staff go in April. I'm still trying to hire for the position. I have combined his data permissions with mine so I can do his old job while I try to hire for it.

    My director retired in June. I now have access to a lot of his old stuff along with the 2 others in the management team.

    These are all good reasons for me to have the expanded access I do, but what happens when those jo

  • What percentage of companies enforce more security rules than they need?

You are always doing something marginal when the boss drops by your desk.

Working...