Your organisation’s data and intellectual property are invaluable resources, but they also present a tempting target for cyber-attacks. If your systems are compromised, there may be irreparable harm done to your organisation’s finances, reputation and future. One of the most important steps in addressing cyber-risks is regulating what information is accessible, and by whom.
Many cyber-attacks occur due to a user’s account being hacked or compromised. With that in mind, your organisation should take steps to limit how much access each user on your network has. By doing this, employees and other users will not be able to access information that they should not be privy to and, if hacked, the attacker will not have as much access to your systems.
Take the following steps in order to maintain proper user access:
- Account management—Accounts and their respective access permissions should be managed and updated regularly. Redundant accounts provided for testing or temporary staff should be deleted or inactivated after having served their purpose.
- Authentication policies—Organisations should establish a password policy that ensures employees will be using strong passwords in order to access data. For accounts with certain permissions, additional authentication steps should be considered.
- Limited access—All users should only be granted access and permissions that are necessary to perform their job.
- Limited privilege—The number of accounts with in-depth access to important systems and sensitive information should be strictly limited. Administrative accounts with a high amount of access should be used sparingly. Those with access to them should also have normal accounts that are used for everyday business.
- Surveillance—It is important to be aware of what is going on in your network. Monitor the activity of users and respond to any suspicious activity.
- Separate logs—Access to activity logs should be limited. Activity logs should be sent to an accounting and audit system that is kept separate from your core network.
- User awareness—Make sure that your users are aware of how they are allowed to use their accounts, what permissions they have and their personal responsibilities as they pertain to the organisation’s overall cyber-security.
This blog is for informational purposes only. It is not intended to be exhaustive nor should any discussion or opinions be construed as compliance or legal advice. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. Content by Zywave, Inc. provided by TH March.