“Everyone’s an administrator when network access isn’t controlled.” That’s something an IT consultant I knew used to say. He was strict on giving out network privileges, but because of that, the company didn’t suffer a single breach while he worked there. That’s because what he said was true. If you’re not going to use your security access levels, then you might as well give everyone administrative privileges. Keep in mind that those privileges are going to allow employees to add or remove just about anything on your network. If that sounds like it would be a disaster—and it should—then it’s time to recalibrate your access levels.
Too many companies try to piecemeal their security by assigning network access as needed. This is problematic in that once the company gets big enough, it can be hard to keep track of who has what type of access. That’s why standardizing the process is a better option. Create a fixed system for giving out the right amounts of access and you’ll find many network security issues resolve themselves.
How Limited Access Limits Human Error
Human error is still the number one root cause of security breaches industry-wide. Either someone installs something they shouldn’t or visits a website they shouldn’t, and data is breached. Phishing, hacking, and malware infections are all things that can be prevented if employees follow protocols, given that human error accounts for 37% of enterprise system incidents. Even worse, intentional employee actions account for 16% of these incidents.
That means more than half of your network issues are going to be caused by your employees. This number is only expected to grow as the number of devices that can connect to your network increases. Employees might access company data from smartphones, laptops, tablets, and a wide range of other devices which could be a risk to your system.
That’s why you need to scale back on those privileges by looking at employee job responsibilities. Make sure that the job title has a specific internal security clearance assigned to it. It might help to break those internal security levels down into five categories:
- In-office only – This level of access should be reserved for employees whose job roles do not require access outside of the office, such as for hourly employees or employees whose work is generally done in-office. This access would also limit the devices allowed on the network to company-issued devices only.
- Basic access – This level of access would be for employees who might need to work remotely, but don’t have management responsibility over anyone else. This would allow them to access company systems offsite and via personal devices, but would limit what information they could change or remove from those systems.
- Team manager access – This access might be for middle managers who supervise one or more employees. This would allow them access to everything the basic employees get access to, but they would also be able to change or update access privileges for employees under them.
- Department manager access – Department manager access would allow the employee to access all pertinent company networks through both home and personal devices. They would be able to make changes to the information for employees under them and would have limited administrative access for emergency use.
- Administrator – This is an access level that leaves your network wide open, which is why it should be limited to key personnel. This is the only level of access that would allow the individual to make major network changes, install new software, etc.
While many of your employees might be computer savvy, only your IT people should be making changes to your interoffice network and systems. Often, malware is installed by tricking users into thinking it’s a software patch or update for an existing software. However, when only administrators can add software, that scam becomes ineffective. Only your most trusted employees should have that level of access. That’s why you need to tier your access to your background checks.
Use Background Checks to Tier Access Level
With more responsibility comes more scrutiny. Setting your employees access should be dependent on them passing an appropriate background check. For the employees with the lowest access, this may include a criminal records and credit search. However, for higher access level employees, it might be wise to complete some additional steps.
One of these steps would be to have the individual complete a Remote Risk Assessment regarding their own cyber security knowledge. RRA is a technology that’s used in conjunction with a brief phone interview. During the interview, the individual is asked questions that they must answer with a “yes” or “no.” The technology then measures the individual’s response, and assigns a risk rating from low to high to each answer.
This can be a good option for weeding out both individuals who lack cyber security awareness, as well as those who would violate company procedures. For example, they could be asked, “Have you ever used a public wi-fi hotspot to access company data?” Someone who said yes would be marked as high risk but someone who said no but was dishonest would be flagged as high risk as well. This technology can assess both intentional and unintentional protocol breaches and help companies identify areas where they most need to reassess security practices.
AC Global Risk is now offering its proprietary software as a solution for enterprise clients looking to control their cyber security risks. Our services can be adapted for a wide range of uses and are available in any language, at any location. Contact us today for more information.