2 min read

IT Survey: Employees Have Access To Too Much Information

The Ponemon Institute found that 69% of respondents said access policies in their organizations were poorly enforced or ignored.
The majority of IT executives believe employees have access to too much information, a study released Tuesday suggests.

The 2008 National Survey on Access Governance, conducted by information management research firm the Ponemon Institute and Aveksa, a corporate security vendor, finds that 78% of 700 IT professionals surveyed believe their employees have too much access to information that's not necessary for their jobs.

It may seem self-serving for a company that offers security and compliance systems to highlight the need for its products and services, but such is the world of IT-oriented studies. For all its unseemliness, events of the past few weeks suggest that there is more to Aveksa's observations than marketing.

The loss of more than $7 billion at French bank Société Générale might have been averted had better internal controls been in place to prevent Jerome Kerviel's apparently disastrous financial trades. And Steven E. Hutchins Architects might not have lost an estimated $2.5 million in architectural data to the alleged actions of a disgruntled employee had the firm implemented better security measures.

Despite the fact that such might-have-beens are the stuff of promotional literature, the inescapable conclusion is that information is too accessible and too free of controls.

Consider: The survey found that 69% of respondents said that access policies in their organizations were poorly enforced or ignored. It also found that 55% of respondents rated their companies' ability to grant information access rights to be poor or nonexistent.

"The ability of organizations to consistently enforce access policies is not good," said Brian Cleary, VP of marketing of Aveksa. "Organizations don't have a good process for doing regular review and certification."

A common problem, said Cleary, is "entitlement creep," in which workers move to a new business unit and their information access rights fail to get updated to match their new roles. Business units tend to leave this to IT organizations, but Cleary believes that's a mistake because it's the business units that understand role requirements.

"Business units think IT owns liability for failure," said Cleary. "But that's not the way auditors see it."