You’ve probably got a good idea who should be looking at your data, the question is, who actually is looking at your data? One would hope that the two lists were close to, if not exactly identical, but what if they’re not, and how could you possibly know?
Depending on the line of work you’re in, there may be a whole lot more people with eyes on your data than you first thought. Here’s how and why:
The Obvious Stuff – Network Security
The first and most obvious thing to check is to perform a network security audit to see who has what level of access to your system, and based on that level of network access, what sorts of data that makes them privy to.
Hand in hand with this, you should really look into adopting a data classification system, then tying it to your network security system such that you can exert an increasingly fine-grained control over who can see what data, based on the interaction of both variables (network access level and data security level).
Project Management/Collaboration Review
Especially if you have data on cloud-based resources—which makes it easy to share with people outside your company—you need to review all policies and procedures relating to collaboration, as well as any and all projects which involve outside talent. By conducting this sort of end to end review, you can not only get a better overall picture of who can see what, but you also have the opportunity to further tighten things up in that regard.
Less Obvious Stuff – Research Teams
In particular, research teams that receive all or part of their funding via grants. In many cases, the money comes with strings, and those strings usually involve sharing of data with the agency giving the grant at the very least, and sometimes with a wider group than that.
Hackers & Thieves
An ever present danger, of course. It could be that people who don’t have your best interests at heart are trying to gain access to your systems, your customer records, and/or your sensitive or proprietary data. More often that not, such attempts leave behind trace evidence, and even when they don’t, hackers often want you to know they were there, so they’ll make it obvious. If you are hacked, they’re probably going to sell your data to the highest bidder, so there’s no telling just how far and wide your data will be cast. In these cases, unfortunately, there’s no reeling it back in. All you can do is shore up your defenses so as to be better prepared for next time, and understand that there very likely will be a next time. It’s as close to a statistical certainty as we can get.
Then there’s the government. The NSA and other agencies who spy on us “for our own good.” Unlike hackers, these guys don’t leave a trace. You’ll never know they were there, or what they saw, and they’ve got the most advanced toys and the brightest minds in the business. There’s no good way to protect yourself from them, and there’s no way to know what they saw. Thinking about it too much will only make you seem paranoid, but it’s worth mentioning. If they can—and they can—then they probably do.
As you can see then, the answer to the initial question, “who’s looking at your data?” is almost always some variant of “More people than you first imagined.”