3aIT Blog

Exiit SignA few days back, we noticed a story about the member database of the Labour party having been accessed without permission.

This blog isn't about that event specificially, but it's a perfect example to illustrate the purpose of this blog. It is almost certain that every company / organisation / club etc will have to deal with staff leaving for a variety of reasons.

How safe is your data?

WIth more and more of a company's data moving into massive searchable databases, that data becomes increasingly valuable. Conversely, having all that data in one place should make it a lot easier to control who has access to that data. It's a lot easier to place access controls on a central CRM than it is to somehow revoke access to a series of easily reproducable spreadsheets.

While most staff departures are usually amicable, that's not always the case. What isn't yet clear from that Labour story is whether this possible database breach occured before or after the MPs had resigned from the party (or indeed whether it was one of these MPs that tried to access the data - that's just heavily implied by the timing). As the article above points out, one important detail here is whether this access occurred before or after the MP left the party (if that's what happened). If it was afterwards, there may well be repercussions for Labour. Access to the database should have been revoked as soon as the MP left the party.

Data scharedThis highlights how important it is to ensure you have a procedure to follow as soon as possible after a member of staff has left. Whether that's letting your IT company know this so they can revoke that user's logins from your systems, or to do that yourself if you have the ability to do that.

It's important to do this even if the departure is amicable (as most will be). Even if you know there's little to no risk of the staff member trying to access your data without authorisation after they've left, it will usually be the case that their account will no longer be being actively monitored. If, say, an email account is compromised by a malicious 3rd party, if that mailbox is being actively used by a member of staff, they're likely to notice things aren't right quite quickly. However, if it's an idle mailbox that is no longer being monitored, it's likely to be far longer before anyone notices.

Stop SignSetting Permissions

The other thing to consider here is whether your company can utilise the power of permissions to restrict access to data in the first place. As you add data to your systems, it's worth always considering who exactly needs access to it. While the simple approach is to get let everyone have access to everything, this can backfire. Time spent getting this right can save a lot of trouble in the future. If a member of staff only has access to the data they need to do their job, that can limit any damage done if that member of staff later walks off with that data.

The final feature you may want to consider adding / enabling on your systems is some degree of audit logging. These can be configured to varying degrees, up to and including every click that every user makes in a system. This can become invaluable in a situation in which you need to track down exactly who has accessed certain data, when they accessed it, what they then went on to search etc. An audit log can even be used to flag unusual behaviour as it happens (if that behaviour can be defined).

Audit Logging

Of course, as you can imagine, this can generate massive amounts of data - even in a small company. Far too much for someone to manually review unless they already know what they're looking for (eg checking for access by a certain user within a certain timeframe). It's also not niecessarily absolute proof of something - if someone's account has been accessed by someone else, it will appear that user has accessed that they haven't themselves accessed. This is one reason that sharing account logins is almost always a bad idea.

So, in conclusion, there is not a single magic button that can be pressed that can make your data safe. The only foolproof way to do that would be to completely lock it down so that no-one can access it! However, there are various processes that should be followed that can be aided by various IT tools to ensure that your organisation is as on top of it as it can be in order to try and keep data loss to a minimum.