Permissions Creep

Internal threats can be a huge threat.  One things that often ends up happening is something known as permissions creep.  Here’s how it works:

Let’s imagine you have been hired by a company to maintain one of their buildings, building A.  So on your first day they give you the keys to building A.  You work there for 6 months and because you have done such a great job they promote you to maintain an even larger building, building B.  You get your keys to building B on your first day and you stop doing the maintenance for building A.  Now, a year later you get promoted again.  This time to maintain the company HQ, building C.  They hand you the keys to building C.

At this stage all you actually need to do your job are the keys to building C however because they never collected the other keys back in you are now one of the rare people with access to all 3 company buildings.  You have “accumulated privileges”. 

Now let’s say someone breaks into your car and steals the keys.  That attacker now also has access to all 3 buildings. 

The same applies for cyber and data security.  Get your IT team to review all of your employee’s permissions.  Make sure your HR team communicate any staff changes, leavers, promotions etc to your IT team.

Posted in Uncategorized.