Eduardo Maia, Senior Manager of IT Risk Internal Audit and Financial Advisory at Protiviti, tells us how internal data leaks can put a company’s reputation at risk and can be a serious headache to deal with.
Information leakage is one of the main issues among IT managers and one of the biggest risks that companies can face and need to address.
Strategic, customer and employee data are examples of information that, if leaked, can cause material, reputational and legal damage to organisations of any size.
Knowing that the most significant technological threat is the cyberbreach, which can cause the exposure of content, it is very common to hear about data leaks that occurred due to a cyberattack, made possible by allowing external access to information.
However, most of these cases occur internally in companies and are carried out by malicious people who aim to obtain some advantage with this information.
Personal data has become increasingly valuable because, by collecting information, a company gains more assertiveness to offer the right products to the customer who has more affinity for purchasing them. And this value, which is internal knowledge, encourages bad actors to leak the data, harming the organisation.
As a consequence of this scenario, measures were taken, such as the creation, in Europe, of the GDPR (General Data Protection Regulation) and, in Brazil, of the General Data Protection Law (LGPD), which came into force in September 2020, and protects, through regulations, personal data and applies sanctions such as warnings, simple or daily fines and even the partial or total prohibition of the exercise of activities related to data processing.
This has caused processes to become more rigorous within companies and measures have been taken to increase access control in order to prevent leaks, which are related to ‘Information Security’.
And for these practices to be well applied, some steps can be taken, such as creating updated processes for software and systems, defining security policies, not allowing the use of pirated or unreliable programs, monitoring the infrastructure; training professionals with good information security practices and frequently monitoring e-mails, documents, cloud and other information.
However, it is important to highlight that when access to this information is allowed, the responsibility for preventing leakage becomes is down to one more factor: ‘Access Management’.
The practice occurs when companies grant access without mapping the roles of professionals, mirroring profiles of other users, or even without examining whether the exercise granted may generate any risk for the business.
As a result of this action, employees may have permissions that are incompatible with the roles they perform and eventually take advantage of it.
As such, adherence to the LGPD involves much more than just having appropriate privacy and consent policies. It is essential that companies also focus on the implementation of internal controls, including access management and segregation of duties (SoD), in order to minimize improper actions and, consequently, increase the protection and compliance of this information.
In short, SoD and LGPD are intrinsically related when it comes to the protection of sensitive data, since this effective integration brings several benefits to companies. In addition to contributing to legal compliance, this approach strengthens data security, increases customer and partner trust, prevents reputational damage and demonstrates a commitment to protecting information privacy, offering a competitive advantage in the regulated marketplace.
