Understanding the “Why” Behind IT Security Restrictions
It can be irritating when you are busy trying to get things done at work and your IT security slows you down.
Ever tried to install software that you need and gotten a message that says you need administrative rights to do that?
It’s frustrating, right? You hold an important position in your business, perhaps you even own it, and some IT person won’t let you install the software you bought.
What gives them the right?
Recognize the power of administrative network access.
This is all about perspective. In this example, let’s say you are the owner of your business. You likely have access to all the critical information on your computer and business computer network.
With your login information, you can access:
- Financial data for your business
- The business pricing model
- Your customer database
- Business trade secrets
- Private information about your staff (HR)
- Much more
Imagine if your system was compromised. Someone with bad intentions gains access to your computer and can get to all that critical information mentioned. They can either steal, deny your access to it, delete it, or any combination of these.
If that happens, you’re going to have major problems on your hands.
Restrictions are protection, not control.
I have had clients ask, “why can’t I have control of my own equipment?”
Logic would agree that you should. If you own the business, you own the equipment. Even if you don’t own the business, you are certainly trusted with certain information that is private to your business.
Realize that the more you have access to, the greater the risk of someone getting to it. Allowing you to have the control that a Network Administrator has only increases that risk.
A user with administrative access on a network can do all kinds of harm if they have bad intentions. If a crook gains that level of access, severe and possibly irreversible damage could occur.
Why is allowing a user to install software that the business owns such a big deal?
Installing software is a perfect example of the risk here. If a cybercriminal gains access with administrative control, they could install ransomware on any computer or server on the network.
Essentially, they can put harmful stuff anywhere that the administrator can access.
When you understand this, it makes sense that you are the last person that should have administrative rights to your network.
Frankly, nobody should have administrative rights on a business network besides the person or persons responsible for the administration of the network.
Anyone who has administrative access to a business computer network should have multiple steps to gain control of that network.
Some examples of safeguards that should be in place for network administrators are:
- Long passwords – complexity doesn’t hurt, but password length is more important
- Multi-factor authentication – the administrator should have to prove their identity with something more than just a password that could be stolen.
- Threat hunting systems – detect and alert on activity that could be harmful, even if it is being completed by a network administrator.
“All the things that I need to do just to log in are a pain.”
I understand that nobody wants to jump through a bunch of hoops to gain access to the resources required to do their job.
Access controls can be a hassle:
- Long complex passwords are painful.
- Having different passwords for everything can be very difficult to manage.
- Multi-factor authentication adds delays to the login process.
The good news is there are solutions to all these challenges that make things easier while remaining secure.
- Password managers solve issues with long complex passwords.
- Hundreds of unique passwords can be stored in a password manager that can autofill a login.
- Multi-factor authentication often can be set up where it isn’t required on every login once the unique computer or phone is identified.
Most importantly, remember that each of these strategies makes your business more secure from the risks that cybercrime presents.
Cybercrime is now the greatest risk to businesses today.
If your business carries a cyber insurance policy (and it should), you know that cybercrime is a growing threat. Claims against such policies continue to rise at alarming rates.
This increase in claims being paid is causing rates for these policies to increase. Oftentimes this comes with coverage decreases and restrictions for qualifying that are more stringent.
These trends are a clear indicator that cyber-attacks are causing financial damage to businesses. As a result, it is more important than ever to put systems and policies in place to protect against the risk of cybercrime to your business.
Consider what your business insurance covers and what measures you have taken to protect against those risks.
- Physical damage like fire, wind, water, and lightning.
- Theft of equipment or other valuables that your business owns.
- Liability coverage to protect against lawsuits and other claims of damage caused to others.
- Workman’s compensation coverage.
The likelihood of filing a claim for coverage because of one of these perils is often less than suffering a loss from a cyber-attack.
Be a proponent of cyber security measures in your business.
If you are in a leadership role in your business, supporting the efforts toward greater cyber security is paramount. Your team will follow your lead and your business more secure because of it.
Encourage your IT people to implement more stringent security. Embrace the idea that this is reducing your business risk rather than creating problems for you.
The most successful businesses that I have worked with have leaders who recognize that the risk faced by their business has changed. These businesses take steps to improve their cybersecurity posture.
- Business leaders understand that cybercrime could severely damage or destroy their business.
- They empower their IT team to continue to work to improve cybersecurity.
- The best leaders take the lead in embracing new security measures.
Business leaders must build a culture of security or their team will not recognize how important it is to the business.
Our blog contains several articles about cybersecurity in business.