information. This is true for physical security as well as cyber security.
Access is limited to who or what can access the restricted resources, when they can access, why access is required, and how the resources will be used.
Take an every day example such as a car and a newly licensed teenager. Concerned parents may impose restrictions on letting friends drive (who), when the teen needs to return with the vehicle (when), where they are going (why), and obeying traffic laws (how).
This recent Guardian article about the rogue doctor who fraudulently accessed patient data is what sparked this post.
To significantly reduce the risk of outside breach, staff/vendor mistakes, and rogue insiders, security best practices dictate limiting access to all systems based upon the Principle of Least Privilege, sometimes known as Zero Trust.
"The principle of least privilege is a concept in cybersecurity that emphasizes on limiting user and process access to a minimum required to perform their job duties. This principle is based on the idea that by limiting access to resources, the risk of unauthorized access, use, or disclosure is reduced.
In practice, this means that users should only be granted access to the specific resources and functions that are required for their job, and that their access should be regularly reviewed and adjusted as necessary. The idea is to provide just enough access for the user to perform their job, and no more."
Broadly and very generically speaking, if an organization makes a thorough list of its systems, data, locations, & relationships and then designates individuals or groups of individuals various levels of access privileges based upon who needs what access to complete their basic job functions, the risk of breach, error, or negligence becomes much more manageable.
As part of our Virtual CIO services, the Scalable Business Technologies team will reviewZero Trust is not about not trusting your own people. Rather, it is based on protecting them from malicious third parties while simultaneously protecting your organization from internal error.
organizational hierarchies and accesses, and recommend incremental access changes to access rights to enhance overall business continuity.
You'd be surprised how often we run into situations where:
- departed employees still have access to critical systems
- a staff member who was given temporary access never had it revoked
- vendors with incomplete internal security measures inadvertantly create back doors
- multiple people share single accounts for restricted assets or areas, negating all related auditing and asset tracking
If you, or anyone you know, is interested in a bit of help with your technology and cybersecurity, please contact us at any time.