Who has access to sensitive files on your network?  You’ve probably locked down sensitive files, such as HR and bookkeeping information, ensuring that only certain people can view them.  But how about corporate strategy documents?  Data about your clients? Your sales team’s interactions with prospects?

This is a question of employee trust, but it’s much more than that.  For every user that has access to a broad range of files on your network, you have another very powerful password to protect.  You might trust your customers to not snoop around your network, but if their passwords are compromised, you definitely shouldn’t trust the hacker or social engineer that stole them.  This is just one of many reasons that file access should be based on three rules.

Rule #1 – Employees have a clear need for the data they can access

There are plenty of drawbacks to providing a user with access to files.  They may intentionally or unintentionally view (or modify) confidential information.  If they have write access, they may accidentally delete files.  If their login credentials are stolen, the thief will have access to more of your information.  And if they leave, it’s more work for the IT team to clean up.
Or, if the IT team doesn’t remove access, a stray login that everyone has forgotten about.

All of these reasons should be weighed against granting access to files.  Does the user need access to the information to complete work for the company?  Do they need temporary access, or does their job require continued access?  Do they need only one file, or do they need access to the entire folder?  If there’s a clear need for access, then there’s no need to hinder a company’s success in the name of security.  But well-informed employees understand that every piece of information they have access to is a risk as well as an opportunity.

Rule #2 – Employees with access to sensitive data have earned your trust.

Of course, it’s common sense that you don’t provide unfettered access to client data (or P&Ls, W-2s, or other Personally Identifiable Information) to an employee you think might use it nefariously.  Unfortunately, you need to trust more than an employee’s integrity in order to grant them access to sensitive information.

You need to trust their judgement – will they be duped into unknowingly providing access to someone else?  You need to trust their adherence to policy – will they follow a restriction on data sharing even if they don’t know why it’s in place?  Finally, you need to trust their memory – if they don’t remember the rules, they aren’t likely to follow them.  If an employee requires access to sensitive data to do their job but you don’t trust them in all of these ways, you probably have the wrong person in the seat.

Rule #3 – You have a way to verify the data is being used properly.

Whenever you allow users to access information, you’re trusting that the people with those login credentials are using them correctly.  But in today’s world, you can never really know who has that login information.  It could have been taken from that user without their knowledge, either electronically or from an unguarded notepad.

This means you need a way to audit file access.  You or your IT team should periodically audit file access logs, and make sure that there isn’t a user in customer service who requires monthly access to accounting data but is opening files daily.  You should also make sure you haven’t accidentally provided wide access to a folder which should have been kept private, especially if one or more employees are periodically reading these sensitive documents.  Most importantly, you should be especially wary of someone accessing a wide range of data simultaneously, especially if they’re copying it.  There’s a very good chance that data is moving off of your network. There’s also a good chance that it isn’t your employee that’s doing all of the copying, but instead someone who gained unauthorized access to their login credentials.

To learn how WingSwept can keep your network secure, call us at 919-779-0954 or email us at Team_WingSwept@WingSwept.com.