How likely would you be to hand over your house keys to somebody you’d chatted to a handful of times? Would you be more likely to do so if they presented a valid reason for accessing your house – perhaps for maintenance or delivery? And would you feel happier granting them access if you had a way of checking their credentials, and monitoring what they did whilst in your home?
Chances are, you’d feel nervous about the risk to your home and possessions. You’d need convincing as to why they needed access, restrict their access if possible, and monitor their conduct closely. Or, let’s be honest, as you barely know them you’d probably not give them the keys at all.
And yet, across the world, organisations routinely grant privileged user access to all sorts of employees, enabling them to access sensitive systems and data without adequate processes and monitoring in place. In so doing, they are making themselves a big fat bullseye for accidental or deliberate data breaches and serious cyber attack.
As a cyber security-conscious company, it is vital that as part of your risk management regime (which we’ve been discussing across our blogs), you establish effective processes to manage user privileges.
Of course, there will always be certain people who need access to a higher degree of access to systems and data in order to carry out their job roles. Your security staff, IT team, HR department, data controllers and finance team would be fairly up in arms if denied access to their relevant systems or data. Blocking them all clearly isn’t an option.
The key is to hand out privileges with care. Establish what level of access each employee genuinely needs, and provide them with a reasonable - but minimal - level of system privileges and rights required for their role – the so-called ‘principle of least privilege’.
And pay close attention to these guidelines from the UK National Cyber Security Centre:
By following such protocols you should make your systems and data a little less susceptible to attack or leaks: handing out your house keys only to those who absolutely need access, asking for identification, following and logging their every move, not letting them go beyond the downstairs loo, and never letting them invite others along for the trip.
It’s obvious when it’s your home: make sure you apply the same security to your business.