Security of technical systems and devices used in the office environment is an issue that is important to many companies. Businesses often go to great lengths to ensure that their systems are secure from external threats, yet often fail to take into account inner threats. One of the most common inner security threats is that employees have too much access to systems. A recent survey’s findings have highlighted this problem too.
According to the survey, conducted by Viewfinity, 68% of the 600 IT professionals surveyed don’t know who has administrative access to computers in their office. While this survey looks at the numbers from the IT viewpoint, it’s highly likely that many managers don’t know who has what access rights to computers.
The survey also found that 20% of all respondents noted that between 15% and 30% of users in their company had administrative rights. Is this a bad thing? Yes and no. Some users need to have full access to their systems, especially if they manage other systems, while others don’t.
Is this a big deal?
One of the biggest drawbacks of unnecessary access privileges is security. If users have more access than they need, the chance of a security breach is higher. For example, malware on a locked down system likely won’t spread to other systems in the network without direct transmission. Similarly, if a user can’t install programs because they lack the administration privileges, malware, for the most part, won’t be downloaded and installed.
If a user with full administrative privileges and downloads a piece of malware, chances are high that they won’t even notice it’s been installed and it will be transmitted to other systems with ease. In fact, one of the main ways hackers gain access to networks is through exploitation of administrative rights. They first look for an unsecured computer with administrative rights, hack it and then follow the chain up to more vital network systems.
What can we do?
While the survey was largely centered around IT professionals, business owners can learn from these findings too. They should take steps to audit their network and figure out who has access to what. Then they need to validate the findings and ensure that users have an appropriate level of access privileges. If some employees have no need to download and install programs, then they likely don’t need administrative access privileges.
If this sounds like a chore, it’s a good idea to work with a service provider who can help determine not only the type of access employees should have, but also the appropriate security and management that’s needed to ensure a more secure organization. If you’re unsure of who has access to what, please contact us, we may be able to help.