Businesses: Know who your privileged users are … and aren’t

Every business should be able to definitively say who is a privileged user and who isn’t

Given the pervasiveness of technology in the business world today, most companies are sitting on treasure troves of sensitive data that could be abducted, exploited, corrupted or destroyed. Of course, there’s the clear and present danger of external parties hacking into your network to do it harm. But there are also internal risks — namely, your “privileged users.”

Simply defined, privileged users are people with elevated cybersecurity access to your business’s enterprise systems and sensitive data. They typically include members of the IT department, who need to be able to reach every nook and cranny of your network to install upgrades and fix problems. However, privileged users also may include those in leadership positions, accounting and financial staff, and even independent contractors brought in to help you with technology-related issues.

What could go wrong?

Assuming your company follows a careful hiring process, most of your privileged users are likely hardworking employees who take their cybersecurity clearances seriously.

Unfortunately, sometimes disgruntled or unethical employees or contractors use their access to perpetrate fraud, intellectual property theft or sabotage. And they don’t always act alone. Third parties, such as competitors, could try to recruit privileged users to steal trade secrets. Or employees could collude with hackers to compromise a company’s network in a ransomware scheme.

How can you protect yourself? 

To best protect your business, you may want to implement a formal privileged user policy. This is essentially a set of rules and procedures governing who gets to be a privileged user, precisely what kind of access each such user is allowed, and how your company tracks and revokes privileged-user status.

To effectively develop and enforce the policy, begin by identifying your privileged users and their specific security clearances. A helpful approach is to create a list of privileges required for each position and compare it with the current privileges held by employees. Evaluate what makes sense and what doesn’t. When uncertain about whether someone requires a certain type of access, it is generally advisable to err on the side of caution.

Additionally, create an “upgrading” process within the policy. Only trusted and qualified managers or supervisors should have the authority to upgrade or reinstate an employee’s privileges. They can consult with the leadership team if necessary. Utilize technology to streamline and monitor requests and approvals. Consider implementing a requirement for two levels of approval to elevate a user’s privileges. This is particularly important for highly sensitive systems and applications that store customer and financial data.

In addition, your privileged user policy should include stipulations to carefully monitor user activity. Observe and track how employees use their privileges. Let’s say a salesperson repeatedly accesses customer data for a region that the person isn’t responsible for. Have the sales manager inquire why. Subtly reminding employees that the company is aware of their tech-related activities is a good way to help deter fraud and unethical behavior.

Another important aspect of the policy is how you revoke privileges and remove dormant accounts. When employees leave the company, or independent contractors end their engagements, privileged access should be revoked immediately. Keep clear records of such actions. Block access and investigate if a deactivated account shows signs of activity.

Do you know?

Every business should be able to definitively say who is a privileged user and who isn’t. If there is any gray area or uncertainty regarding current or former employees, it could severely compromise the security of your data. And the ramifications, both firnancially and for your company’s reputation, are potentially very serious.

Learn about other good habits to improve cybersecurity here.