User access management isn’t a one-and-done step within your organization. In our white paper, we look at the dangers of user access complacency and how you can combat it.
Why should you, as a CIO, CISO, CAE, or in any leadership role, care about the details of user access reviews? A lot of companies do these types of access reviews and think they are fine with their current process.
From the outside, it may appear user access runs smoothly, terminated employees are removed swiftly, and new users receive the correct level of access to the correct system. But start peeling back the layers, and you find there are many levels of user access you aren’t considering. In our experience, this is the case more than 75 percent of the time. So, how can you improve user access levels and eliminate complacency in your company?
Can you confidently answer this question: Who has access to what? Then, can you answer that question for every critical system, database, and device throughout your company? Is the appropriate person completing routine reviews of detailed access reports? As much as it hurts to admit it, the answer is likely no.
Critical assets and information often become vulnerable due to inaccurate access. User access is inherently risky due to frequent changes within the company and the human factor. People can unconsciously make a mistake or, in the worst case, be intentionally malicious.
The risk is much higher than necessary if given more access than required for their job duties. While the growing complexity of access management contributes to that heightened risk, so does the widespread complacency in managing user access.
Consequently, if your company is not conducting proper access reviews on a consistent basis, risks increase, including terminated employees or terminated contractor employees who could gain access to the network remotely, send reputation-damaging emails, or process fraudulent transactions.
If an employee moves to a new department and previous access is not removed, the employee changing jobs could create segregation-of-duty conflicts. There’s also the potential for abuse of dormant admin accounts.
In our white paper, we look at why user access reviews are critical to safeguarding your organization and why they should be led by someone at a management level who is close enough to know who the users are and what type of access is appropriate for their job duties. Then, we move toward what to look out for to prevent falling into a false sense of security, specifically reviewing three case studies as examples.