This should make you stop and think for a moment. Do you know everyone that has access to your critical data right now?
And do they need that access to do their job?
Most business owners assume that access is finalised during the onboarding process. But new research shows, that is not always the case.
Alarmingly, around half of all staff across businesses have more access than needed.
Which is a cause for concern.
Not only does it increase the risk of someone doing something malicious but can also lead to unintended mistakes. When people have more access than needed, it can lead to accidents, breaches, and complications with compliance and audits.
This is known as insider risk.
This is essentially the risk that comes from those within your business. It could be anyone that has access to your systems, like employees, or contractors.
On occasion insider risk is deliberate, like when someone steals data.
But, often, it’s unintentional. Someone accidentally sends confidential information to the wrong person, clicks on the wrong thing, or retains access when they leave the business.
One of the biggest issues is called ‘privilege creep’.
That’s when people gradually build up more access than they need. It’s often caused when people change roles and are added to new systems without anyone reviewing what they can see.
Research shows that huge amounts of data are exposed. As only a small percentage of businesses actively manage this properly.
The scary thing is, half of businesses admit that ex staff can have access to systems for months after they leave. That’s like leaving your office keys with someone that no longer works for you.
The solution is something often called ‘least privilege’. Which makes sure people can only access what they need, and nothing more.
It means, setting permissions so that data is limited to what is necessary. Additionally, access can also be given temporarily when needed. This is often referred to as ‘just in time’ access.
And just as important, all access should be removed immediately when someone leaves the business.
It can be tricky with today’s world of cloud apps, AI tools, and ‘invisible IT’ (software that is used without IT knowing). But it can be done with proactive planning and processes.
Regularly reviewing levels of access, tightening permissions, and using tools that can help automate this, can make a huge difference.
The aim is not to slow down your people. It’s to protect your data, your customers, and your business’ reputation.
If you need help assessing your you access controls, get in touch.
Leave a comment!