By now, most cybersecurity professionals have heard of the term access control. Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company data. Access control is comprised of two main components: authentication and authorization. Authentication is the practice of confirming that a user is who they claim to be, while authorization is the process of determining which level of access each user is granted. Examples of authentication include:
- Passwords
- Tokens
- Multi-factor authentication (MFA)
- Certificate-based authentication
- Biometric authentication
Examples of authorization include:
- File permissions, such as the right to create, read, edit, or delete a file
- Program permissions, such as the right to execute a program
- Data permissions, such as the right to retrieve or update information in a database
If one were to look for a physical example of access control (an area we also assess for clients), a notable example would be a modern office building with doors that require ID badge entry. The ID badge itself serves as the authentication control, with each badge corresponding to an employee to whom it was assigned. And for an extra level of protection, an organization could require a 4-digit pin to be used in partnership with the ID badge, as an added layer of protection in the event of a stolen or lost ID badge. The authentication control verifies that the individual entering the building is who they claim to be, but what happens once they enter? Should they have access to every floor, room, and file cabinet? That is where an authorization control comes in to play. The door locks inside each section of the building could be programmed in a way that the building’s physical security team can grant various levels of access to the different employee ID badge. This authorization control will limit each employee to only those areas that are required for their job function.
So now that we have examined access control in the scope of both digital and physical security, what are the implications as it relates to malicious actors both domestic and abroad? Access control is a crucial step in mitigating the potential scope of a successful breach on your organization. Cybersecurity breaches and ransomware attacks continue to climb exponentially. According to data from the Identify Theft Research Center, the number of reported breach incidents increased by 14% during the first quarter of 2022, compared to the same period in 2021. The average ransomware payment rose to $925,162 during the first five months of 2022, approaching the unprecedented $1 million mark as they rose 71% from last year. But what is arguably the greatest global threat to organizations today is the theft of intellectual property data by foreign nations. One recent report outlines a yearslong malicious cyber operation spearheaded by the notorious Chinese state actor, APT 41, that has siphoned off an estimated trillions in intellectual property theft from approximately 30 multinational companies within the manufacturing, energy and pharmaceutical sectors. Attacks of this nature can (and have previously) put an organization out of business permanently.
Circling back to access control – we know what it is, we know what it is made up of, and we know what is at stake among the continually rising quantity and scale of attacks. It seems like a no-brainer, right? Unfortunately, far too many organizations across the US continue to put access control on the backburner, when in reality it should be placed on the same pedestal as physical security controls, if not higher. If your organization is planning to install tall fences, locked doors, and security cameras but is not addressing access control in a meaningful way, and reassessing the risks on a regular basis, then all those physical security controls might be for nothing. Think of it this way – it is much easier for a foreign adversary to compromise one of your user’s accounts (possibly via phishing) and roll the dice on the chance that they might have a wide range of access they do not need to have, versus sending some international spy to breach your physical security controls and rifle through cabinets and desks in the middle of the night. The malicious actors will choose the path of least resistance, but when faced with a robust access control policy, they will not get very far even after compromising a user’s account.
So where should you begin in addressing the weaknesses in your access control policy? Compass IT Compliance can help! We have spent the past decade helping organizations big and small in protecting their data and intellectual property. Contact us today to discuss your unique situation!
.webp?width=2169&height=526&name=Compass%20white%20blue%20transparent%202%20website%20(1).webp "Compass IT Compliance")
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp "Compass IT Compliance")
No Comments Yet
Let us know what you think