Cyber Security 101 — User Access Control
Simple controls your company can implement today to stay protected tomorrow!
Cyber Security and Data Protection can be overwhelming. There is an enormous amount of advice on the Internet, but it is quite difficult to know how to get to started.
At CyberSmart believe that Cyber Security should be accessible and easy for everyone. Therefore we have compiled a series of actionable steps to help you protect your data. Each week we focus on one control, provide some background information and answer common questions.
Part 3: User Access Control
Companies implement user access policies to regulate who can access the companies information or IT systems and outline the associated access privileges for users. The purpose of these policies/procedures is to prevent unauthorised access to your companies information and systems. Makes sense, right?
In reality, lots of companies don’t have formal user access policies or guidelines in place. Why? Because they don’t know what to do and where to start.
We at CyberSmart like to use a new starter as a reference point to make sure we cover everything in the user account lifecycle from the initial set up to changing job roles and ultimately, leaving the company.
Registration:
Once a new starter joins, you will likely create a new user profile for his workstation, email account, data storage programs, cloud software, applications, etc. The best question to ask at this point is: What access does the user need to perform her day to day job?
Uncontrolled access to everything can be handy. We have seen many companies where everyone has access to everything, meaning that the risk is much higher to suffer a data breach because information can get lost, misused or get into the wrong hands.
Therefore, it is recommended to give your new starter less access to information initially. Over time you will both figure out what they need do their job, and it is always easier to give more access later on than to review and remove access rights — think of shared Dropbox folders.
User Identification:
Every user should access your system with a unique user ID (such as email address or username) and a unique password. It is not recommended to have shared accounts as there is a lack of transparency and traceability in case of a data breach. If you have a business case for shared user credentials, we recommend using a password manager that stores login details and can be used by the entire team.
Once you have created new profiles, encourage your user to change the password to a strong password. A strong password is at least eight characters long, difficult to guess and consists of a combination of upper and lower case letters, numbers and special characters, like “2;u{DNG7Gbp”.
A difficult password to guess is also a difficult password to remember. Again, using a password manager solves this problem.
Ongoing User Access Management:
An admin/founder/team leader should review your companies users and their access rights on a regular basis, ideally every six months or when a significant change to the business occurs. A simple spreadsheet or list is useful to have an overview and track users and their rights. In your CyberSmart Admin dashboard, you can see an all your users and their rights, to make your job easier.
It is your user’s responsibility to prevent their user ID and password from being misused, which means that you should communicate that:
- Users should not share their credentials
- Users should store passwords in a secure place like a password manager and not on a sticky note on the screen
- Change passwords when they believe they may have been compromised
- Not give external parties access to your companies systems
- Notify the admin/founder/team leader when they change roles and need different access privileges.
User Deregistration:
Once a team member leaves your company, make sure to remove all access rights immediately, ideally on their last day at work.
Back in our consultancy days, we have worked with a company where a bad leaver left the business on a Friday, and over the weekend he managed to transfer a significant amount of data outside of the company. The company didn’t revoke his access and didn’t notice it for months. Later, they had to report an incident and notify it is customers months after the employee left.
In case you need someone’s old user credentials, make sure that you change the password immediately after the person left your company.
If you have any questions around User Access Control or Cyber Security in general or just want to have a chat, drop us a line at hello@cybersmart.co.uk
