7 Tactics for Establishing Need-to-Know Access to Accounts and Information
A disgruntled ex-employee puts hate messages on your company social media channels. Your sales rep takes your customer contact data with them after they’re terminated. There’s an unauthorized withdrawal from your bank account. These are all scenarios that could happen if you’re not controlling employee access to corporate accounts and data.
Having a detailed employee offboarding process that shuts off access to accounts and information before anyone has a chance to steal or corrupt data will limit the damage that an employee can do as they’re on their way out from your organization. In fact, you could have insider threats from people who are still employed.
Then consider threats coming from outside your company. Cyber criminals are always trying to find ways to get into your IT systems in order to take your data hostage with ransomware or gather the intelligence they need to get to a bigger target. Your employees’ accounts are a favorite pathway for entering your network.
What can you do to avoid being exploited by known or unknown persons? Start by setting out guidelines that allow account and information access on a need-to-know basis.
Follow the Principle of Least Privilege
There’s a cybersecurity term for need-to-know. It’s called the Principle of Least Privilege and it applies to the usernames and passwords associated with corporate and online accounts as well as access to data. Within the Principle of Least Privilege, people have access to what they need to perform their job role and no more.
There are several tactics and tools that you can use to implement and maintain least privilege access.
1. Document Access for Every Job Role
Document access to accounts and data in your security policies for every job role in your company. Even if you have already done this, it’s advisable to conduct periodic reviews by role and by employee to make sure that permissions adhere to your security policies. What sometimes happens is that when people change roles, they get new permissions added on to the ones they have or someone requests increased access when they can’t get a report that they need.
2. Document Access for Vendors
Your vendors are just as accountable for your security as you are, so make sure that you’re not giving them the keys to the castle when they need to do work on your network. The people who work with your vendors act as the gatekeepers and having strict guidelines for what they can and can’t allow will avoid situations when they inadvertently grant more access than is necessary to do the job at hand.
Related: Your Vendors Are Responsible for Your Security
3. Train Employees on Security Policies
Your documented security policies aren’t going to do any good unless your people know, understand, and can follow them. Some people need to not only understand guidelines for their own access to data and accounts, they need to oversee other roles. In any case, a one-off training isn’t going to be sufficient and again, periodic reviews of permissions should be scheduled.
4. Enforce Security Policies with Technical Controls
Use technical controls when possible to automate permissions. Going back to the job role, you can decide if the employee needs access, then determine the level by what they actually need to do. For example, read-only permission may be adequate. Have a process in place to review requests for additional permissions and update documentation when changes are made. What you don’t want to happen is to allow IT to grant additional access without approval.
5. Utilize Identity Management Systems
Passwords and Multi-factor Authentication (MFA) are essential for protecting access to your IT systems. Implementing MFA may force you to stop the practice of allowing employees to share accounts. You may have to get more software licenses, but you’ll be doing a lot to build up the strength of your weakest layer of security – your people.
6. Include IT in Your Offboarding Process
Don’t let IT support be the last to know when an employee leaves. Whether they’re terminated or moving on by choice, you don’t want forgotten doors to your data left unsecured. Keep in mind that certain employees may have accounts outside of your corporate sphere, like web apps for HR, marketing and sales. The only way to make sure these are included in offboarding is if they’re documented.
7. Physical Location and Access to Data
Think about physical security and how people might get access to your data and IT systems from within your facility. Simply locking computers when they’re unattended is a habit employees can practice that keeps unwanted eyes off your data. Similarly, locking external and internal doors to specific offices and departments can be another way to limit exposure.
Is Employee Access to Data Out of Control?
Don’t wait until your social media accounts have been hijacked to find out if employee access to data and accounts are out of control. Create a plan that requires you to step through each role to document permissions. It’s going to take time and you’ll need some help, but the threat of losing control is too much to risk.
Up Your Cybersecurity Game
The thought of managing everything having to do with security can be overwhelming. That’s why XPERTECHS clients get the help they need to create and implement a cybersecurity strategy that effectively manages risks so they can prevent cyber attacks and shut down potential intruders fast. If that’s not what you’re getting from your managed IT service provider, it’s time to up your game.
Contact us today for a cybersecurity consultation.