User Permissions are Not to Be Given Lightly

Let me ask you this: would you trust every one of your team members with a key to your house? Of course not, right? After all, what if someone lost their copy or had it stolen from them?

So, if you wouldn’t trust your entire team with access to your home, why on earth would you trust them with carte blanche access to your entire business and all of its data?

That’s just it… you wouldn’t. 

Insider Threats are a Complicated Situation

Look, I get it. You want to think you can trust the people you hand-picked to work for you. After all, it not only means that your business is in good, capable hands—it also reflects on you and your ability to judge someone’s character. If someone you hired abused their position in your company, it only makes sense that some blame would be on you, right?

If this was a children’s movie, yes.

However, we’re talking about real life here. Maybe you’ve been burned in the past because (from where you’re sitting) you put too much faith in your team members and their strength of character. That could be the case… but someone could have felt backed into a corner by their financial situation, seeing no alternative than to take what wasn’t theirs. Someone could have been fooled into providing an attacker with their keys to the kingdom. Anyone might have made an honest mistake that happened to leave your castle vulnerable to attack.

The point is that insider threats are a very complicated, very grey area to consider.

That said, your protection against these attacks must be as straightforward and black-and-white as possible: either someone is confirmed to have access to your resources, or they aren’t.

This is Precisely Why User Permissions are So Important to Manage

While just one consideration to keep in mind while securing your business and its infrastructure, user permissions are a foundational one to get right. Fortunately, there is a very helpful best practice that multiple government acronyms—from the National Cybersecurity and Communications Integration Center (NCCIC) to the National Institute of Standards and Technology (NIST) to the U.S. Computer Emergency Readiness Team (US-CERT)---all include in their standards and recommendations.

This best practice is commonly referred to as the Principle of Least Privilege.

What is the Principle of Least Privilege, and Why Does It Help?

The Principle of Least Privilege is effectively what it sounds like: everyone in an organization has, at maximum, the minimum access permissions needed to serve their role effectively. Simply put, everything and anything is shared on a “need-to-know” basis, and only as long as it is strictly necessary. 

For instance, if accounting needed to know if payroll was being dispensed accurately, it would request access to that information from human resources. Once they had confirmed or disproved what they needed to check, accounting’s access would be removed.

This approach needs to apply to business users at all levels, from the C-suite to the vendors and service providers a business relies on and everyone in between. Otherwise, a business could suffer from various issues, such as…

• Inadvertent data exposure through someone with more access than needed falling for a cyberattack or otherwise being ignorant of critical cybersecurity practices.
• Intentional data misuse by unscrupulous employees with more access than their role calls for abusing these privileges to their benefit.
• Increased impacts from cyberattacks, as some attackers will only have as much access as a compromised user’s permissions provide.

What Can You Do to Follow the Principle of Least Privilege?

First and foremost, implementing a strategy of role-based access controls will help significantly. Assigning different users the permissions they each need based on their roles and responsibilities makes it easier to ensure that some users aren’t provided with more access than they need.

Of course, to ensure that this remains the case, it is also recommended that your business’ assigned access permissions be audited and corrected regularly. This helps ensure that nobody slips through the cracks, like those who may have been granted additional privileges to complete a specific task but never had those permissions removed.

If this all seems complicated or more than you want to add to your list of responsibilities, you can always work with Aspire Technical. Our team of IT experts can help you lock down your network to only those with an appropriate need to access it, all while ensuring that all your technology is maintained to give you the most value possible.

Give us a call at (480) 212-5153 to learn more.