Secure the Keys to Your Kingdom

In recognition of National Cybersecurity Awareness Month, Weaver is launching our Cyber Fundamentals series. Throughout the month of October, we’ll be sharing content that will give you a basic understanding of cybersecurity and the key information you need to be aware, prepared and protected. This is the third post in the series.

Uncontrolled user access undermines every other security measure. Your organization’s most critical systems and data must be accessible to be useful. However, poor attention to user access can leave all the doors wide open to misuse and even fraud. Considering how fluid staff roles can be, and how often employees come and go, controlling user access can be a big challenge — and one of the most important.

When you’re working to improve cybersecurity, well-controlled user access lays a solid foundation for all of your other efforts. These are just a few of the important issues to consider:

• Administrator access is the equivalent of a master key; keep admin privileges limited to as few people as possible — and the admins should ideally not be business users. Evaluate who has administrator privileges at all layers: the network, operating systems, applications, and databases. It is often helpful to create separate admin logins for users who only occasionally need that access (for example, a day-to-day login as rwsmith and an admin login as adm_rwsmith).
• Segregation of duties means separating certain key functions to ensure proper oversight and prevent fraud — important even in small organizations. Carefully defined user permissions can help maintain this segregation, but it’s important to update those user roles when people transfer to a new position or change responsibilities.
• Routine user access reviews will allow owners of the system and individual applications to confirm that the right people have the right access to the right areas. What you review is as important as how often you review it: be sure to include the user, role assignment (in layman’s terms, not some obscure code) and attributes such as the last login. Base your reviews on the concept of “least privileges required,” in order to maintain the best security.
• System or service accounts can create risks related to accountability, since these accounts often have administrative privileges. Accounts should be well defined and regularly re-evaluated to make sure they are still needed and appropriate. In addition, you should consider using password management software to help monitor and manage these accounts; such software can maintain complex passwords, restrict use to required individuals and log events when the account is utilized.
• Terminations — It seems obvious that terminated employees should have their access revoked, but sometimes there are breakdowns in communication between human resources and the IT department. You can help prevent such miscommunications by formally including IT in the termination process, defining timelines, setting up a monitoring process to detect deviations, and including email routing or workflow queues in the termination process.
• Applications have a way of multiplying or lingering after they’re no longer used. To maintain control, inventory all of your organizations’ applications, including their ownership and potential risks. While you’re assessing risks, you can also identify potential cost savings and the costs of maintaining non-integrated systems. This is also a good opportunity to evaluate third-party relationships and your vendor’s cybersecurity.

When you’re building cybersecurity walls around your systems, weaknesses in user access can leave gaping holes. Taking time to evaluate your processes, assess your risks and put the right controls in place will help you make sure you haven’t left keys lying around where they shouldn’t be.

To learn more about our cybersecurity services, contact a Weaver professional today.