You already have robust firewalls, penetration testing, and annual cybersecurity training for all employees. Unfortunately, you’re still suffering security failures. What else can you do to protect your organization? Your next move requires you to admit an uncomfortable truth about cybersecurity.
You cannot anticipate and prevent every attack on your organization. Some industries, such as banks, represent such an appealing target that they face constant attack. In fact, the sheer volume of cybersecurity attacks is growing steadily. Infosecurity Magazine reports: “The Online Trust Alliance’s Cyber Incident & Breach Trends Report found that skyrocketing ransomware usage resulted in 160,000 cyber attacks. That’s nearly doubled from 82,000 in 2016.” These attacks come with a cost. Recent industry research reported in Fortune found the average cost of a data breach to be $7 million.
Our prediction? These attacks will continue as hacking tools and services become more accessible. The way forward in this situation is to limit the damage in the event of a hacking attack.
By tightening up your access governance program, you’ll minimize the impact of future hacking attacks. Think of it like a home security system that contains a hacker on the front porch while you plan a response. The framework that makes this improvement possible is called the principle of least privilege.
What’s the Principle of Least Privilege?
Inspired by the military’s “need to know” concept, the principle of least privilege gives users the minimum possible access needed to carry out their work. Consider the case of customer support representatives. They need access to their schedule system, the customer service data, and their company email. Do they need access to the company’s ERP (enterprise resource planning) system? No. Do they need access to product design data? Again, the answer is no. These extraneous access privileges are not necessary. They also increase the attack surface for hackers to exploit. However, you cannot merely arbitrarily reduce access privileges for every employee; you need a guiding principle to inform your approach.
According to Carnegie Mellon University, the principle of least privilege “requires that employees have the minimum privileges needed to perform actions on information or assets that are within the scope of their job function.” That means that managers need to carefully think through job descriptions. If the organization doesn’t have job descriptions (or if they are significantly out of date, which is a pervasive problem), additional work will be needed. Each manager will need to sit down and think through the minimum access each employee needs.
What About Employee Resistance to the Principle of Least Privilege?
In some companies, you may encounter resistance to reducing access. For instance, employees may currently have access rights to other divisions and departments. They use this access for general awareness about company activities rather than any specific job responsibility, so reducing or removing that access in the short term makes sense. To address this objective, we recommend highlighting the risk benefits. By reducing access, you reduce the impact of any single hacking incident. Think of it as another line of defense to protect employees and customers from security problems.
Resource: You don’t have to develop a brand new training program to cover the principle of least privilege. Add it as a topic to your employee password management training session.
Design Your Approach to Minimize Access Governance
Put the principle of least privilege into action by using the following process:
- Find out your access governance situation. Start by doing your homework on access governance: what policies, procedures, and systems does your company have in place already? Keep in mind that access governance may be covered in a different document (e.g., cybersecurity policy).
- Review access governance audit findings. Does your company have an internal audit department? If so, we recommend reviewing recent reports for findings on access governance issues. If you cannot find any reports, meet with your auditors to ask for their perspective on identity and access management issues.
- Identify high-risk applications and systems. The next step is to identify high-risk systems where access needs to be controlled. At a minimum, systems containing financial data, HR records, and customer data are good candidates to focus on during your access governance implementation.
- Find quick-win opportunities to reduce access. In our experience, there are two areas to focus on for quick wins in access. First, look at profiles of ex-employees. Second, review the access of employees who’ve changed jobs in the past 12 months. You’ll probably find access privileges that need to be reduced. For added risk reduction, examine your “super users” such as IT administrations who may have more access privileges than required.
- Introduce the change. Before implementing the access governance changes, communicate the planned shift in advance. We recommend sending a broadcast employee to all managers first and ask them to discuss the change with their staff.
- Implement the change. Now that you’ve identified the access governance changes to be made, it’s time to put them into action. If you’re making these changes manually, focus on eliminating ex-employee access first.
Putting all these access governance improvements into action takes work. Like any security practice, it’s not enough to do it once; it needs to be an ongoing practice to protect your organization.
How to Sustain the Principle of Least Privilege Easily
Manually checking and rechecking user access quickly becomes a chore that managers and employees forget to do. When that happens, the security benefits of access governance gradually slip away. It doesn’t have to be this way. Instead, we recommend using Compliance Auditor to keep your access governance program up to date.
By using Compliance Auditor, you’ll easily be able to use sophisticated access governance methods. For example, multilevel IT approvals are an excellent way to ensure that highly sensitive access IDs such as manager level access privileges are subject to extra scrutiny. Compliance Auditor supports multilevel IT approvals automatically. It also paves the way to painless IT audits because it automatically generates and retains access governance logs. The days of manually tracking user IDs are over!