When considering IT threats to your business many articles focus on external sources such as hackers. While these dangers are real, in many cases, the largest threat to a firm comes from inside the business itself.
Staff often have trusted access and a detailed working knowledge of the organisation from the inside. Employees therefore deserve the largest security consideration when designing a safe and secure business system.
It is important to first distinguish the type of employee we want to defend against. For this article we do not mean a model employee accidentally opening a malicious email or attachment (that relates to a different kind of threat). Rather, a disgruntled employee seeking to do damage to your business. An employee who may wish to destroy services or steal clients and files from your firm.
A lot of firms grant employees system-wide permissions. While this can make things appear simple, it is opening the business to future risks.
Private and confidential information relating to the business should be restricted. Many types of files need to remain confidential, often as a legal or privacy requirement. Human resource files, salary information, and employee documents should be limited to only a select few employees. Yet many businesses keep confidential information in public places on the network.
Granting system-wide read and write access can appear to save time in the short term. It is, however, opening up your business for potentially legal troubles in the future.
The Principle of Least Privilege
The principle of least privilege is a vital tool in helping you to handle internal IT security. It defines a security policy which ensures your staff can access only the resources, systems and data they require to carry out their job.
The policy protects the business from many different types of threats. Even where malicious attachments have been opened by accident, the damage is limited only to the areas that employee has access to. This results in contained damage, less time needed for data restoration and reduced downtime for the firm.
Along with limiting accidental damage, employees looking to destroy or steal data are limited. With restricted access, an employee with a grudge or profit motivation can only damage or steal from their own area of operation. This helps to ensure that no single employee can damage the entire firm’s operations.
Security Policy In Practice
A member of staff within Human Resources, for example, may have access to the employee database (as it relates to their job). This will likely include payroll information and other sensitive data. But this same member of staff would have no need to access sensitive client data, such as sales information in normal working conditions.
Likewise, a staff member from the sales department should have no need for accessing sensitive HR records.
Using the principle of least privilege, each employee will only have full access to systems that are directly related to their role. Similarly, some systems may be visible to a wider group of staff members even if they can only be edited or deleted by one or two people.
In some cases, a security policy may be defined by finer details than a person’s role within the business. For example an HR employee should not be able to edit their own file to change salary information. An employee file might only be edited by their superiors in such a case.
Additional parameters can be used to assign privileges to enable the business hierarchy to work within the IT network. Seniority, physical location, and time are all examples of factors that can restrict access to critical systems and secure data.
We can tailor your network to your business, locking down your data to ensure data is only accessed on an “as needed” basis. Contact us now on 08 8326 4364 or su*****@dp*********.au.