Although some of your employees may disagree, not every employee should have access to every network, IT infrastructure, or computer system within your organization. Giving employees and contractors unrestricted user permissions and user access could spell disaster for many businesses because doing so creates unnecessary cybersecurity risks.
Would you set locks on all of the doors of your home but then go out and leave the keys hanging in the lock? Most likely, your answer would be no. But, this is the approach that many companies take concerning their cybersecurity initiatives. When you have unrestricted user permission levels, you’re allowing any employee to have the “keys to the kingdom,” giving them unfettered access virtually any area of your network or system.
What kind of threat do employees pose when they have unchecked user access? The Harvard Business Review cites data showing that “60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.”
The Purpose of Limiting User Access
Companies that manage user permissions set user permission levels using the concept and practice of what is known as “least privilege.” Formerly known as a policy of least privilege (POLP), the idea is to limit and restrict user access for accounts, users, and processes to those that are required for a person to perform their job.
This is something that our team of cybersecurity experts at FPA always recommends to our clients because it helps to minimize potential misuse while also ensuring that their employees have the privileges and access they need. As a managed security service provider (MSSP), we provide guidance both as to how this process can be accomplished as well as actually carrying out the tasks.
Furthermore, limiting the number of privileged users is one of the five best practices recommended by the National Cybersecurity and Communications Integration Center (NCCIC) at the U.S. Computer Emergency Readiness Team (US-CERT) as part of every organization’s cybersecurity strategy. This aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework best practices, which are among the highest industry standards.
So, what are some of the reasons for why you should manage user permissions and, in most cases, restrict them?
1. Unrestricted User Access Can Lead to Accidental Data Exposure
Ask yourself: Does Andy in Accounting really need to have user access to all of your data and systems? He likely only needs to have access to specific areas or functions to perform his job. Danny the IT Administrator, on the other hand, would need to have greater privileges and user permissions, including broad access to your network and IT infrastructure.
For Andy, having extraneous user permissions isn’t necessary and creates a potential cybersecurity issue if he isn’t aware of — or doesn’t follow — safe cybersecurity practices. It doesn’t necessarily mean that he has malicious intentions; he just very well may be ignorant of what he should (or should not) do with his access. And, these types of behaviors can lead to accidental exposure of company or client data.
2. User Access Can Lead to Intentional Privilege Misuse & Abuse
According to the 2018 Cost of a Data Breach Study: Global Overview by the Ponemon Institute and IBM, 27% of the leading causes of data breaches worldwide resulted from the “human factor,” which boils down to the actions of negligent employees or contractors.
Verizon’s 2018 Data Breach Investigations Report lists privilege abuse (misuse) as No. 4 in the top 20 types of actions in data breaches. Furthermore, in its incident classification patterns, the report listed privilege misuse as the second highest types of incidents per pattern. Intentional misuse of user accounts can result in theft, leaking or destruction of data and intellectual property, as well as a host of other related issues.
3. Hackers Can Use Compromised User Credentials
By restricting user permissions, it can help to limit the damage that is done when the account of an employee or contractor becomes compromised. If the account’s user access is unrestricted, a malicious user could have a field day with the access they gain to your entire system. This will cost you both financially and in terms of customer trust in your company and brand.
All of these points underscore the importance of applying a POLP to every user account on your network. By limiting user access, you narrow the amount of data employees have access to — and incidentally can compromise — without having to go through any of your network’s other defenses. This is a smart practice that we always recommend to every client to increase their organization’s network and device security.
These are just a few reasons why organizations should invest the time to manage user permissions to limit employee user access.