Businesses: Know who your privileged users are … and aren’t
Given the pervasiveness of technology in the business world today, most companies are sitting on treasure troves of sensitive data that could be abducted, exploited, corrupted or destroyed. Of course, there’s the clear and present danger of external parties hacking into your network to do it harm. But there are also internal risks — namely, your “privileged users.”
Simply defined, privileged users are people with elevated cybersecurity access to your business’s enterprise systems and sensitive data. They typically include members of the IT department, who need to be able to reach every nook and cranny of your network to install upgrades and fix problems. However, privileged users also may include those in leadership positions, accounting and financial staff, and even independent contractors brought in to help you with technology-related issues.
What could go wrong?
Assuming your company follows a careful hiring process, most of your privileged users are likely hardworking employees who take their cybersecurity clearances seriously.
Unfortunately, sometimes disgruntled or unethical employees or contractors use their access to perpetrate fraud, intellectual property theft or sabotage. And they don’t always act alone. Third parties, such as competitors, could try to recruit privileged users to steal trade secrets. Or employees could collude with hackers to compromise a company’s network in a ransomware scheme.
How can you protect yourself?
To best protect your business, you may want to implement a formal privileged user policy. This is essentially a set of rules and procedures governing who gets to be a privileged user, precisely what kind of access each such user is allowed, and how your company tracks and revokes privileged-user status.
When developing and enforcing the policy, you’ll first need to identify who your privileged users are and what specific security clearances each one needs. A good way to start is to list the privileges required for every position and then compare that list to a separate record of privileges that each employee currently has. What makes sense? What doesn’t? When in doubt whether someone needs a certain type of access, it’s generally best to err on the side of caution.
Also, establish an “upgrading” process under the policy. Only trusted and qualified managers or supervisors should have the power to upgrade or reinstate an employee’s privileges, perhaps in consultation with the leadership team. Use technology to help standardize and track requests and approvals. For sensitive systems and applications, such as those that store customer and financial data, consider requiring two levels of approval to elevate a user’s privileges.
In addition, your privileged user policy should include stipulations to carefully monitor user activity. Observe and track how employees use their privileges. Let’s say a salesperson repeatedly accesses customer data for a region that the person isn’t responsible for. Have the sales manager inquire why. Subtly reminding employees that the company is aware of their tech-related activities is a good way to help deter fraud and unethical behavior.
Another important aspect of the policy is how you revoke privileges and remove dormant accounts. When employees leave the company, or independent contractors end their engagements, privileged access should be revoked immediately. Keep clear records of such actions. If a previously deactivated account somehow shows signs of activity, block access right away and investigate how and why it’s come back to life.
Do you know?
Every business should be able to definitively say who is a privileged user and who isn’t. If there’s any gray area or uncertainty regarding current or former employees or other workers, the security of your data could be severely compromised. And the ramifications, both financially and for your company’s reputation, are potentially very serious.