If you’re the owner of a small business, you know the importance of having proper rules in place for everything from business acquisition to login processes. If you’re a business owner, you probably also know that, while your business relies on every single one of its employees, those employees may not always have the company’s best interest at heart. If you leave it up to human goodness, there will always be a minority of people who will want to take advantage of an opportunity.
If you’re not careful, that opportunity could give employees – and any other bad person (read “hacker”) who has latched on to their account – a way to:
- Rob you blind – once or repeatedly as they remain undetected by taking your data or even your money
- Steal your or your clients’ personal and financial information
- Plant malicious software that can do direct damage to your system or divert information to a third-party recipient
- Spy on you remotely and keep track of your every single move
- Sabotage any business process, ruining your reputation
Needless to say, unless you can curb rampant access to your systems and data, you will end up in bad place. Luckily, there is a solution to this problem: permissions, privileges and roles.
One way to prevent these kinds of attacks is by dividing your business systems into parts that can only be accessed by people who are authorized to do so. All the rest see only what’s required of their job.
Three main tools to help get this done include account permissions, privileges and roles.
Account permissions: These are the access rights you give to your individual employees’ accounts. For example, you can let Jane access all accounting records, but not HR records.
Account privileges: If you want Jane to be able to go in and change records, you will need to grant her editing privileges. John, who is in HR, might also want to see the employee’s salaries, but may not have a need to alter the data. You would give him read-only rights, which will prevent him from altering any information.
Roles: Assigning single permissions and privileges to each of your employees, and then having them revoked or re-instated every time they make a move within your company is not only tiresome, it’s also prone to errors.
What you can do instead is create groups of permissions and privileges that have various accesses and then make your employees accounts members of respective groups. These groups are called “roles” and might be named according to department, like “Accounting” and “HR,” under which you would find Jane and John’s accounts, respectively.
Any time they make a move in the company’s hierarchy, you can have their roles updated. Though this seems pretty straightforward, it really isn’t.
You or anyone responsible for maintaining account management should always be vigilant and careful with their work. Most technology crimes are committed by current and former employees and not external hackers, so maintaining up-to-date account access is crucial.
With this in mind, you should always take these precautions when dealing with your users’ accounts:
- Always use clear cut roles, privileges and permissions. Don’t confuse them, because that’ll create loopholes that may allow users to sneak past you and access data they are not authorized to.
- As people move around your business, make sure their accounts are upgraded or downgraded accordingly.
- Don’t forget about employees who have left your company. Their accounts should be locked and then removed as soon as possible – and not a minute later.
This isn’t a part-time job. Maintaining accounts should have a dedicated professional who will be the only person authorized to do access right configuration.
If you haven’t implemented an authorization policy, now is the time to do it. Here are two basic ways you can get started.
- Shut down all roles, privileges and permissions and make sure all accounts have been locked out. Then grant permissions, privileges and roles on an account-by-account basis until everyone is satisfied with their accesses. Find the right time to do this, when people are not actively using software or files, so as to not interrupt work flow.
- Assign access to all employees and then revoke whatever accesses aren’t necessary. Let everyone have everything allowed (within their roles) and then slowly trim their access down to exactly what they need. This works well in an environment that can’t be shut down for account maintenance and doesn’t necessarily have sensitive data.
Either way, the aim here is to sculpt tight-fitting access that will let your employees do their jobs without overexposing your company data. Over time, keep monitoring the access rights and tweak them accordingly.