So long as a user account is live and operative within your IT infrastructure, it is a potential gateway into your organization and makes it as easy as leaving a back window open into any device or application on your network being used via that account.
Not having a clear record of all unchecked admin accounts within your business promises to cause a severe headache for your management team and eventually you.
Who on your management team is liable for your IT infrastructure?
Admin accounts like ‘Domain Administrators’ and ‘Local Administrators’ will be empowered with greater privileges to shaping your admin accounts best practices.
Should a member of staff within your organization click on a compromised website or email attachment, the malware within that site or attachment will usually carry out its purpose depending on the access level of the account the user operates at that time.
Due diligence is advised over who is allocated access to what in your end user environment. You want to rest assured knowing your accounts with admin privileges are only accessible for competent individuals.
For the business to be operational, you only need to provide access to applications, computers and networks necessary for staff to perform their role.
The Dangers of Unchecked Admin Accounts
All live accounts have the potential to access sensitive business information, dependent on what level of access has been granted to certain individuals and what authority they have been given.
Permit only as much rights as required to fulfill duties within a department, such as a data entry role. This reduces the chances of critical data ending up in the wrong hands.
In comparison to a typical user account, accounts with superior access rights have greater access to desktops, laptops, tablets, smartphones, network devices, applications and, in a nutshell, varied degrees of critical company data.
If a privileged admin account were accessible for someone of ill intent, their heightened ability to access that account could easily be taken advantage of.
This would enable them to cause ‘business-critical’ misuse of company data.
Mass interference with your systems and processes would very much be in the realm of possibility. In effect, this unapproved access to your company devices is what can lead to crippling data breaches.
‘Admin accounts’ are those with the greatest power. Such accounts possess the ability to download or install software and in many cases go unnoticed, thus making momentous security changes to your operating systems.
Accounts with administrative privileges are entitled to adjust operating systems for some or all end-users across a virtual desktop environment and can create new accounts with greater freedom to access your infrastructure.
Bare Minimum Cyber Security
It is imperative to maintain control of all user accounts within your business and access privileges granted to each of them. Understanding how user accounts authenticate access privileges and who is responsible for verifying user account privileges are key to maintaining an oversight of all gateways into your infrastructure.
To begin with, you must establish a system for creating user accounts and a series of actions to approve administrative access to specific data files.
Such procedures require validation that your nominated personnel are fit for purpose and are allowed access to desktops, laptops, tablets, smartphones, network devices, applications, servers and data storage sites via exclusive login details.
Of critical importance is to ensure all leaver accounts are disabled. More importantly, if they are admin accounts, it is imperative to have a thorough process in place for managing incoming and outgoing staff.
We strongly advise using 2-factor authentication across all your systems (Office 365, servers, online portals, etc.).
Admin accounts should only be used to carry out tasks of an administrative nature anyway and should not be linked to regular accounts for performing everyday duties, browsing the web or any other standard user activities that may expose admin accounts to cyber threats.
Did They Change Roles?
One area of paramount concern yet often forgotten about is when a staff member remains in the company but has changed roles. Their old admin account is no longer justifiable to exist.
In the aim of eradicating any possibility of unauthorized access to admin accounts with authorized access, it is worth segmenting your company by department, then determining how important the data is within each department.
This process will present strong indicators to what degree of risk you are willing to expose that data.
For staff who are starting and finishing their time with the company or just switching departments – some will have greater access privileges than others to the various areas of your systems.
Therefore, regular monitoring of all user accounts will help eliminate the potentially negative ramifications of admin accounts remaining live but forgotten about.
Not only is this best practice in accordance with the NCSC’s Cyber Essentials Plus security standard, you will need Cyber Essentials Plus or Cyber Essentials Basic as a minimum if you are looking to show your customers that you take data protection seriously, or if certification is required to meet a contract/supply chain criterion.
Admin Accounts Best Practices Certification
If your intentions are to demonstrate your organization is compliant with Cyber Security and takes data protection seriously – then Cyber Essentials PLUS is the best option.
Companies holding sensitive data should always seek out PLUS certification, especially if involved in sectors frequently subjected to Cyber Attacks. However, this is not always cost efficient for SMEs and for some companies, the basic certification is enough.
A manages service provider could be the key to balancing the need for cyber security when it comes to user accounts.
If you are seeking help from a managed service provider in getting Cyber Essentials certification for your business, the MSP you partner with should be certified to at least the level of which you wish to be accredited. Especially when you consider that they could be the be gateway to your data.