Permissions Creep

Permissions Creep, also known as privilege creep, is what happens when an employee moves between roles in an organisation and keeps the access or permissions of the previous role.

Permissions creep

Photo by Chunlea Ju on Unsplash

What is Permissions Creep?

Permissions Creep, also known as privilege creep, is what happens when we move between roles in an organisation and keep the access or permissions of the previous role.


Permissions Creep example:

Let’s imagine you have been hired by a company to maintain one of their buildings, building A.  So on your first day they give you the keys to building A.  You work there for 6 months and because you have done such a great job they promote you to maintain an even larger building, building B.  You get your keys to building B on your first day and you stop doing the maintenance for building A.  Now, a year later you get promoted again.  This time to maintain the company HQ, building C.  They hand you the keys to building C.

At this stage all you actually need to do your job are the keys to building C however because they never collected the other keys back in you are now one of the rare people with access to all 3 company buildings.  You have “accumulated privileges”.

Now let’s say someone breaks into your car and steals the keys.  That attacker now also has access to all 3 buildings.


Why does it matter?

A key component in keeping a company’s data  secure is to ensure that employees are only able to view and edit the systems they need access to in order to perform their role.

Accumulated privileges matter in a company because having all the “eggs in one basket” weakens company security and creates vulnerabilities within an organisation.

For example, a successful social engineering attack on a CEO with an admin account and access to the segmented finance network could give an attacker a highly privileged position in an organisation just by compromising one account. This frequently happens as senior staff members often demand special privileges and are the targets of targeted cyber-attacks.

In the case of an insider threat, an attacker will be looking to build up permissions they do not need in order to commit fraud or exfiltrate information.


Why is it hard to stop?

Permissions creep is difficult to work against because people feel naturally entitled to the access and permissions that they have used in the past. They feel they “own” the access, in the same way employees often feel they “own” the information and reports they have written. They feel a sense of status at having access that others do not, even though they have no need for it. This is particularly true of senior members of staff who see access as a badge of honour. Unfortunately, it takes a brave IT administrator to tell his boss that his access has been curtailed.

Similarly, when staff move roles in an organisation the emphasis is on setting up their access they need for the new role and the importance of subsequently removing permissions is often overlooked.


6 ways to reduce the risk of permissions creep and privilege accumulation.


  1. Make sure there are relevant policies in place to address the risks of permission creep.
  2. Don’t give out unnecessary access! It may seem like a shortcut to give all member of a team or department the same access, but ensure that they need it first.
  3. Ensure there is good communication between IT and HR when it comes to staff who change roles internally or leave. Make sure that the accounts are appropriately modified or closed in a timely manner.
  4. Conduct regular permissions audits – There are numerous open source and commercial tools to assist with doing permissions audits.
  5. As a user, if you find you have unexpected access or still have access to files you no longer need, inform your IT team so they can update the accounts.
  6. Educate users, especially those in senior positions of the importance of minimising permissions. Explain the risk/reward balance; they don’t need or use the access, yet by having it they are putting their company at unnecessary risk.


Learn More:

Why Run a cyber-crisis exercise?

Would your staff report a malicious insider? – Read our report and find out!

Are staff the weakest link? Train your team to detect social engineering attacks



Featured image: Thomas Grimer5 by Thomas Grimer, licensed under a Creative Commons Attribution 4.0 International 

Related Posts

Hacked! Right Match Singles Suffers a Data Breach..

Hacked! Right Match Singles Suffers a Data Breach..

Cyber Security Awareness Month Special: "Hacked" What would you do if your company was hit by a cyber attack? Do you have a plan? A crisis management team in place? Many companies don't have a plan or haven't tested that plan.  For Cyber Security Awareness Month 2020...

Get staff engaged for Cybersecurity Awareness Month

Get staff engaged for Cybersecurity Awareness Month

October is ECSM, a month-long European event promoting good cyber security practices and safety. This years themes are: 1. Cyber First Aid:What to do in the case of a cyber attack. Enisa has put together some useful infographics Have you been scammed? Have your credit...

CV19 and Kaspersky Next

CV19 and Kaspersky Next

At the Kaspersky NEXT event, Cyber Volunteers 19 (CV19) Co-founder and partner at Red Goat Cyber Security, Lisa Forte discussed with Kaspersky’s Yury Namestnikov, why such intervention was required, and what lessons need to be learnt as both the pandemic and cybercriminal activity are fought.