Skip to content
Close
Contact Sales
Contact Sales
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipalities

VC3 has spent the last 29 years making IT
personal, making IT easy, and getting IT
right for over 1,100 municipalities.

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

All Resources
Get Started
4 min read

3 Reasons Why You Should Restrict User Permissions

Subscribe
restrict user permissions

Although some of your employees may disagree, not every employee should have access to every network, IT infrastructure, or computer system within your organization. Giving employees and contractors unrestricted user permissions and user access could spell disaster for many businesses because doing so creates unnecessary cybersecurity risks.

Would you set locks on all of the doors of your home but then go out and leave the keys hanging in the lock? Most likely, your answer would be no. But, this is the approach that many companies take concerning their cybersecurity initiatives. When you have unrestricted user permission levels, you’re allowing any employee to have the “keys to the kingdom,” giving them unfettered access virtually any area of your network or system.

What kind of threat do employees pose when they have unchecked user access? The Harvard Business Review cites data showing that “60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.”

The Purpose of Limiting User Access

Companies that manage user permissions set user permission levels using the concept and practice of what is known as “least privilege.” Formerly known as a policy of least privilege (POLP), the idea is to limit and restrict user access for accounts, users, and processes to those that are required for a person to perform their job.

This is something that our team of cybersecurity experts at FPA always recommends to our clients because it helps to minimize potential misuse while also ensuring that their employees have the privileges and access they need. As a managed security service provider (MSSP), we provide guidance both as to how this process can be accomplished as well as actually carrying out the tasks.

Furthermore, limiting the number of privileged users is one of the five best practices recommended by the National Cybersecurity and Communications Integration Center (NCCIC) at the U.S. Computer Emergency Readiness Team (US-CERT) as part of every organization’s cybersecurity strategy. This aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework best practices, which are among the highest industry standards.

So, what are some of the reasons for why you should manage user permissions and, in most cases, restrict them?

1. Unrestricted User Access Can Lead to Accidental Data Exposure

Ask yourself: Does Andy in Accounting really need to have user access to all of your data and systems? He likely only needs to have access to specific areas or functions to perform his job. Danny the IT Administrator, on the other hand, would need to have greater privileges and user permissions, including broad access to your network and IT infrastructure.

For Andy, having extraneous user permissions isn’t necessary and creates a potential cybersecurity issue if he isn’t aware of — or doesn’t follow — safe cybersecurity practices. It doesn’t necessarily mean that he has malicious intentions; he just very well may be ignorant of what he should (or should not) do with his access. And, these types of behaviors can lead to accidental exposure of company or client data.

2. User Access Can Lead to Intentional Privilege Misuse & Abuse

According to the 2018 Cost of a Data Breach Study: Global Overview by the Ponemon Institute and IBM, 27% of the leading causes of data breaches worldwide resulted from the “human factor,” which boils down to the actions of negligent employees or contractors.

Verizon’s 2018 Data Breach Investigations Report lists privilege abuse (misuse) as No. 4 in the top 20 types of actions in data breaches. Furthermore, in its incident classification patterns, the report listed privilege misuse as the second highest types of incidents per pattern. Intentional misuse of user accounts can result in theft, leaking or destruction of data and intellectual property, as well as a host of other related issues.

3. Hackers Can Use Compromised User Credentials

By restricting user permissions, it can help to limit the damage that is done when the account of an employee or contractor becomes compromised. If the account’s user access is unrestricted, a malicious user could have a field day with the access they gain to your entire system. This will cost you both financially and in terms of customer trust in your company and brand.

All of these points underscore the importance of applying a POLP to every user account on your network. By limiting user access, you narrow the amount of data employees have access to — and incidentally can compromise — without having to go through any of your network’s other defenses. This is a smart practice that we always recommend to every client to increase their organization’s network and device security.

These are just a few reasons why organizations should invest the time to manage user permissions to limit employee user access.

 
Aug 21, 2018

VC3

Let's talk about how VC3 can help you AIM higher.