It is difficult to justify hiring a dedicated IT/Cybersecurity professional in a business with less than ten or twenty employees. As a result, many small business owners outsource their technology management to third party contractors, or simply have the work performed as a side task by employees with technical knowledge.
One major issue that can arise from this lack of oversight is privilege creep. Privilege creep is a security risk that arises when different employees end up gaining privileges to access more resources than are necessary for their job. In today’s digital landscape, the Principle of Least Privilege is a major requirement for securing access to business data. Employees should only be granted the minimum privileges necessary to perform their job.
Implementing the principle of least privilege can be difficult in small business environments, due to the lack of centralized identity and access management, and the lack of a full time IT professional to audit employee access.
In addition to risks enabled by privilege creep, small businesses can fall victim to Shadow IT. Shadow IT occurs when employees use their workplace identities to sign up for online services that have not been approved or vetted by administration. While it may seem harmless to sign up for some new services to help with workflows and improve productivity, the use of Shadow IT can widen your organization’s attack surface by attaching business data to potentially insecure and poorly managed websites. If your business has multiple employee email accounts with no governance over their use, then it’s very likely that those accounts are attached to several online services that you have never even heard of or approved.
Much of this framework is dedicated to reigning in identity and access management within small business environments, as identity has quickly become the new perimeter in cybersecurity. Future documentation will be dedicated to implementing common sense solutions that help small business owners keep a watchful eye on the use of employee accounts and their associated access. However before this can be done, you must identify the privileges and access levels currently in use by employee accounts in your organization.
Either on your own or with your cybersecurity team, utilize the attached template to catalog every bit of access currently granted to each of your employees. Every website and service they have access to, and the tasks they are allowed to perform she be noted. To get a complete picture, you will likely need to audit the employee’s identities by having them submit a list of all services their email is currently attached to. Accomplishing this will require patience and good communication.
Once you have documented the current state of employee privileges and access levels, you will need to define the bare minimum privileges each employee should ideally have. If an employee should only be posting updates on your company’s website, than they should have a Contributor Role, not Administrator. If an employee’s job is to run the front desk and manage the drawer during their shift, then they should not be allowed backend access to the Point of Sales dashboard.
Ensure that you narrow down the minimum privileges for your employees as tight as possible. Invoke the aid and advice of your cybersecurity team and any third party contractors if necessary. Once the documentation has been completed, ensure that it is securely stored, as it will be vital for implementing hardened IAM and privilege management further down the road.
