How likely would you be to hand over your house keys to somebody you’d chatted to a handful of times? Would you be more likely to do so if they presented a valid reason for accessing your house – perhaps for maintenance or delivery? And would you feel happier granting them access if you had a way of checking their credentials, and monitoring what they did whilst in your home?

Chances are, you’d feel nervous about the risk to your home and possessions. You’d need convincing as to why they needed access, restrict their access if possible, and monitor their conduct closely. Or, let’s be honest, as you barely know them you’d probably not give them the keys at all.

And yet, across the world, organisations routinely grant privileged user access to all sorts of employees, enabling them to access sensitive systems and data without adequate processes and monitoring in place. In so doing, they are making themselves a big fat bullseye for accidental or deliberate data breaches and serious cyber attack.

As a cyber security-conscious company, it is vital that as part of your risk management regime (which we’ve been discussing across our blogs), you establish effective processes to manage user privileges.

Of course, there will always be certain people who need access to a higher degree of access to systems and data in order to carry out their job roles. Your security staff, IT team, HR department, data controllers and finance team would be fairly up in arms if denied access to their relevant systems or data. Blocking them all clearly isn’t an option.

The key is to hand out privileges with care. Establish what level of access each employee genuinely needs, and provide them with a reasonable - but minimal - level of system privileges and rights required for their role – the so-called ‘principle of least privilege’.

And pay close attention to these guidelines from the UK National Cyber Security Centre:

• 1. Establish proper processes to manage user accounts – manage each account strictly from creation to revocation when a user leaves or changes role. Make sure you delete any redundant accounts (e.g from temps or testing).


• 2. Make authentication and passwords as watertight as possible – set out a corporate password policy striking a good balance between security and usability. For some accounts add an additional authentication requirement e.g a token.


• 3. Limit user privileges: provide each user with the minimum access and permissions they need to fulfil their business function. Go through each role and consider what rights and abilities can be removed from their systems without compromising their work. Don’t assume you can trust someone just because they’ve worked there for years - it’s about the role not the person, and it’s the security of your company at stake.


• 4. Limit the number of privileged accounts – only grant highly privileged system rights when strictly necessary, and continually assess whether such a level of access is still necessary. Ensure users do not use highly privileged accounts for day-to-day more risky activities such as web browsing – give them an additional ‘normal’ account for that.


• 5. Constantly monitor activity and investigate if anything seems unusual.


• 6. Limit access to auditing and activity logs - no-one needs access to the activity logs or audit system other than the person responsible for it. Access to these must be strictly controlled to preserve their integrity and your ability to trace compromising activity.


• 7. Educate your users – they should all be aware of your policy of acceptable usage and their personal responsibility to adhere to it.

By following such protocols you should make your systems and data a little less susceptible to attack or leaks: handing out your house keys only to those who absolutely need access, asking for identification, following and logging their every move, not letting them go beyond the downstairs loo, and never letting them invite others along for the trip.

It’s obvious when it’s your home: make sure you apply the same security to your business.