Originally published March 2020 by Bill Sorenson, VP of Strategy FinTech – CISO, Netgain in New Jersey CPA Magazine March/April Edition. Full magazine can be viewed at njcpa.org.
Cybersecurity challenges and data breaches continue to grow and impact all industries. And 2019 showed a huge increase in the number of firms and customers that had their private information exposed and compromised. Risk management, therefore, has become a required core competency of every IT department. Managing internal users and the risks they bring to an accounting firm or corporate finance department is where least privilege and zero trust should come into play.
The Principle of Least Privilege (POLP)
It’s a change in thinking processes. Instead of trusting people and verifying what they do, this kind of risk management moves toward a never-trust-and-always-verify approach. POLP focuses on making sure every employee has access to the data and information they need to do their job — and no more! It may seem Orwellian, but there are significant reasons why now’s the perfect time to implement this.
Understanding the Risks
We’re talking about insider threats. With new accountant turnover at the highest rates in recent history, more and more junior people are entering and leaving firms. Each one of these individuals brings an added risk to the organization and the exposure of customers’ data. This exposure can be accidental or deliberate, but it’s time to reduce this risk to a manageable level.
Organizations typically have large groups of employees that have access to large volumes of data. This may include significant scope in the ability to see customer information, work on previous years’ projects and have access to information that they would never use. This provides dramatic risk to the organization and limits the ability to understand what happened when data is exposed.
Junior members of a firm typically have access to information beyond their needs. This access allows movement of that information outside the firm, including downloading to laptops, copying to Dropbox or Google Drive, purposefully leaving with firm customer data and accidental exposure. Additionally, when a breach happens, the scope of that breach depends on what that specific user has access to. By using the POLP approach, one dramatically reduces the scope of that breach risk.
What’s the answer? First, within the applications accountants use for tax, audit and other services, restricting user access to only the customers they’re working on can help. This reduces the risk dramatically and appropriately limits exposure to what that employee has access to. And this isn’t just for junior accountants, this is for everyone in the firm.
Second, it’s wise to reduce the amount of data the person has access to. This includes files and folders, the volume of previous years’ data, and other shared information within the firm. Employees should have access to what they need but not anything extra.
Lastly, from a technical support standpoint, system administrators should live within these boundaries as well. Each system administrator should have a normal account that they use on a day-to-day basis. They then have a second administrative account, with escalated privileges to see everything they need to, and do the work they need to do. This second account is audited and monitored so that any and all changes beyond the scope of their normal work gets recorded and can be reviewed later. This significantly limits the casual exposure of data and any nefarious activities. Using this process solidifies one’s commitment to risk management within an organization. It’s best to understand and address risks, while creating an environment that protects customers’ data and the organization’s. This can be achieved with the POLP approach.