Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

As IT continues to grow in importance as a vital tool to support retail businesses – on the shop floor as well as the back office, identity access and governance expert, Marc Lee argues that all staff should be regarded as a potential security risk

As IT continues to grow in importance as a vital tool to support retail businesses – on the shop floor as well as the back office, identity access and governance expert, Marc Lee argues that all staff should be regarded as a potential security risk

 

“Unfortunate as it might be, businesses cannot afford to blindly trust in employees to adhere to security and compliance policies,” Lee said.

 

The director of sales in the Europe, Middle East and Africa region for identity access management and governance solutions provider, Courion Corporation urged that it is vital to consider the financial and reputational cost of ensuring that staff leaving your company’s employment don’t walk off with confidential information such as credit card numbers, or maintain access to systems after their departure. Brand reputation could be at stake if customer data falls into the wrong hands.

 

“If your organisation doesn’t know exactly what applications and systems employees have access to, it is far from alone – in fact, it’s in the majority,” continued Lee. “A 2010 survey conducted by Courion found that among IT leaders at 384 leading enterprises, over 61% had limited or no knowledge of which systems or applications employees had access to. This was up from 52% the previous year, demonstrating an increasing risk of ‘zombie’ accounts – those that remain active after employees leave a company, and present a security risk because they can be used to access confidential information.”

 

Aside from the loss of sensitive data and potential fallout from angry customers and suppliers, Lee also pointed to the fact that the Information Commissioners’ Office (ICO) is now empowered to hand out fines. The latest, issued to Ealing and Hounslow councils, ran to £80,000 and £70,000 respectively. Both concerned the loss of a single laptop containing sensitive data. “The loss need not involve the theft of physical property, however; an inability to properly secure data is the issue that most concerns the ICO,” he added.

 

“The good news is that by adhering to several simple guidelines, you can safeguard your data from ‘insider’ attacks and define, assess, enforce and verify appropriate user access policies across all three phases of the employment period – time of hire, duration of employment, and contract completion.”

 

At the time of hire

 

When hiring staff, Lee said retailers should aim to provide only the least required level of access to allow them to do their job successfully. Based on the transient nature of temporary or contract employees, this process is even more critical.

 

He also said it was prudent to set up temporary or contract roles by function. Access role templates to company resources can be based on workers’ specific job functions and are an efficient and secure way to provision access for temporary workers, particularly for organisations hiring in large numbers.

 

During employment

 

There are several things Lee advised retailers to do with employees’ access to increase levels of access intelligence and ensure that data is protected.

 

The first is to enforce strong password policies. Both seasonal and permanent workers alike should adhere to the same ‘strength’ requirements, with password changes encouraged on a frequent basis. This can limit password sharing practices and reduce the possibility of other employees accessing sensitive data they should not have access to.

 

Secondly, he said it is important to connect user activity with identity and access policies. While access assurance solutions ensure that the right people have the right access to the right resources according, security information and event management (SIEM) and data loss prevention (DLP) tools can be used in conjunction with an access assurance solution to ensure that users are doing the right things with their access.

 

At the end of employment

 

When employment is terminated, ensure that their access is immediately disabled so that there is no opportunity for them to try to access sensitive data. Lee observed: “Studies show that thieves often use stolen credit card numbers minutes after their theft, leaving the victim with no time to close the accounts. The same can happen in the business domain – with the terminated employee often trying to access files as soon as possible, knowing that their access will eventually be cut off.”

 

He concluded: “By following these simple steps, you can limit your organisational risk and ensure that your sensitive data is protected at the end of even the busiest seasonal contract period, or as the result of layoffs.”