Time and time again we have suggested that one important thing you need to do to protect company data is limit access to data. A recent study found that 72% of temporary workers and contractors are given administrative privileges on their employers’ systems.
That is a lot of people having access to data they don’t need and, possibly, shouldn’t see.
Assigning privileged access
While it may seem easier to assign everyone admin rights (who wants to field calls every time someone needs access to a certain file?), it has become necessary to assign privileged access.
How much access does an employee get?
Take the bottom up approach – everyone starts with basic rights and you add-on only what they need. Implementing this process will require some research on who needs access to which files, but it is worthwhile. You will likely find out that a majority of employees have access to data they shouldn’t.
Tips for managing privileged access
- Audit access – People change roles and jobs often, so you need to keep up. People will contact you when they have too little access, but no one is going to reach out to you if they have too much access. You should conduct a regular access audit; every three months or so you should check if everyone still only has the access they need.
- Revoke access ASAP – Become friends with the HR department and never let them forget to let you know when someone leaves the company. A recent survey found that more than 13% of respondents can still access a previous employers’ systems using their old credentials. Another survey found that 49% of respondents say ex-employees and third parties are off boarded the day they leave, while more than half admitted it can take up to a week or more to remove access to passwords and systems. These are easy threats to prevent!
- Temporary access – If employees only need access to certain data on occasion, don’t give them access to it all the time; instead, create a website or hotline in which the employee can request temporary access. You need to decide what “on occasion” means to your company, but if someone only needs a file once every six months, they certainly don’t need 24/7 access.
- Limit download capabilities – Part of limited access should include limited capabilities. For example, you probably don’t want your employees to have the ability to install software they downloaded from the Internet. You should be in charge of what software is on the company computers so employees don’t install malware or personal apps on which they can save company information.
There is no doubt you will have some complaints from employees who don’t like having to call you for access or help when they just want to get their work done, but remind them that their data at risk is their data, too. A data breach affects everyone.