Access controls are important for every internal business system, not just cloud-based systems. ADT’s recent litigation due to an employee’s actions shows the importance of access controls.
There’s been so much talk of bad actors, malware, ransomware and other security problems that many businesses have failed to account for the one problem that could be the biggest problem: Insider threats. Insider threats happen when someone who has access to your internal business systems has their credentials used in some inappropriate fashion. Whether they do it themselves with the intent to extort the business, or whether those credentials are stolen really doesn’t matter. What matters is that now someone is inside your business and there are no red flags to indicate they shouldn’t be there.
We’ve talked before about IAM controls, which most people generally associate with cloud use. However, IAM controls are a necessary part of every business’ security protocols. These controls dictate which employees have access to which systems. Your administrative team doesn’t need access to software development code. Your customer-facing employees don’t need access to security protocols. The fewer people who have access to each system, the less surface area there is for an insider threat.
A good example of what can happen when permissions aren’t appropriately set is an ADT employee who is charged in Texas. According to Ars Technica, “Telesforo Aviles, a 35-year-old former employee of home and small office security company AADT, said that over a five-year period, he accessed the cameras of roughly 200 customer accounts on more than 9,600 occasions–all without the permission or knowledge of customers.”
ADT discovered the incident and took it to prosecutors last April, but it’s not going to be enough to save them. They’ve already been hit with at least two proposed class-action lawsuits. One of the suites is for the ADT customers themselves, and the other one is for other people in the home. The second suit alleges that one of the victims was a minor at the time of the breach.
While the perpetrator, Aviles, is currently facing charges in court, ADT is still ultimately responsible for his dishonesty and breach of privacy. Customers will continue to join the class-action lawsuits and ADT will suffer both financially and in image. They’ll have fines to pay and legal fees to shell out for lawyers. And it all could have been prevented by properly vetting employees and actively ensuring that employees aren’t accessing customer information through proper access controls.
This is actually a really good example of what can happen when access controls are not set properly. ADT is going to lose a good amount of money in paying those fines, fees and reparations, but they’re also going to lose customers and struggle to regain the trust of consumers. The business has hit some rocky water, but it still could have been worse. Aviles could have sabotaged customer accounts and extorted them for money, but he didn’t. If a threat actor was the one doing this, that person could have done incredible internal damage to ADT like implanting malware or rendering their security services useless, leaving every customer without service. If they know how to do that in a specific area, they could collaborate with a physical team to break in and steal things. Now ADT is on the hook for that, too.
Access controls are vital to the security of a business. The fewer people who have access to a system, the smaller the surface area a threat actor has to exploit. Yes, even with access controls, if someone loses their credentials or has them stolen, a bad actor can figure out how to get to other systems. The difference is that it will raise red flags and set off alarm bells warning security personnel that there is a problem that needs to be addressed. Be sure to set your access controls properly to reduce insider and accidental insider threats!