Most organisations assume access is under control: logins exist, permissions are assigned and systems sit behind authentication. On paper it looks tidy but in reality access piles up over time, with little visibility and less removal.

“Access creep” is one of the most common and least tackled IT risks: as people change roles, support projects or pick up new responsibilities, permissions get added but rarely taken away. Over time users end up with far broader access than they need for the role they do now, multiplied across systems and data sets.

It’s not just employees either. Contractors, third parties and even leavers can retain access longer than intended sometimes indefinitely. These gaps rarely come from bad intent, they come from fragmented processes and unclear ownership.

Least privilege – giving people only what they need to do their job as it is now- is widely understood.

The challenge is enforcing it, not just as a single exercise, but every time jobs or roles change. When access isn’t tight, your risk surface expands fast because a compromised account with excessive permissions gives attackers even more room to manoeuvre. A small incident can quickly become broad access and, consequently, data exposure or disruption.

In professional services, the stakes are higher due to the amount of client data at risk. Add into the mix the financial information and internal communications which can be spread across multiple platforms and without clear control a basic question becomes hard to answer: who can access what, and why?

The fix is straightforward and doesn’t require complex permissions management tools, just structure and discipline.

 

A few steps make a real difference:

  • Review access regularly and remove what’s no longer needed
  • Reduce access when roles change not just when people leave
  • Disable leavers’ and third-party accounts promptly, and have a bulletproof process to identify all leavers in advance of their departure.
  • Avoid granting any user admin access unless it’s genuinely necessary, and then never on a day to day user account.
  • Always use role-based access where possible, and risk assess any request or supposed need for higher privilege.

Good access management supports the business, but it should also be deliberate and justified.

Access control rarely makes headlines so it’s often assumed to be “handled.” In practice, it’s one of the areas most prone to drift and that drift creates exposure.

As threats evolve and environments get more complex, knowing who has access to what remains one of the most fundamental, and most overlooked, security controls.

David Baskerville

David Baskerville

07769 946883

Do this today:

Identify one shared mailbox or folder and confirm who still needs access.

Other articles in the 'Keep It Real' series

Keep It Real 3: Software Updates, The Patch You Didn’t Apply

Keep It Real 3: Software Updates, The Patch You Didn’t Apply

We tend to picture cyber breaches as sophisticated attacks beating sophisticated defences. In reality many breaches exploit something simpler such as a known vulnerability with a fix that was never applied. Patching is one of the most basic and effective security...

Keep It Real 2: Phishing Awareness – Still the Weakest Link

Keep It Real 2: Phishing Awareness – Still the Weakest Link

Cybersecurity spend keeps rising with better email filtering, stronger detection and more automation promising better protection. Yet phishing still works because while technology can reduce exposure, it can’t remove human judgment. Phishing has evolved with the...

Keep It Real 1: World Password Day – The Basics Still Matter

Keep It Real 1: World Password Day – The Basics Still Matter

World Password Day is 7 May. The problem isn’t awareness; it’s execution. Phishing is growing in both volume and sophistication. Messages now mimic suppliers, colleagues and trusted services with convincing branding, tone and timing. Often, attackers aren’t “breaking...

Latest Articles

Keep It Real 3: Software Updates, The Patch You Didn’t Apply

Keep It Real 3: Software Updates, The Patch You Didn’t Apply

We tend to picture cyber breaches as sophisticated attacks beating sophisticated defences. In reality many breaches exploit something simpler such as a known vulnerability with a fix that was never applied. Patching is one of the most basic and effective security...

Keep It Real 2: Phishing Awareness – Still the Weakest Link

Keep It Real 2: Phishing Awareness – Still the Weakest Link

Cybersecurity spend keeps rising with better email filtering, stronger detection and more automation promising better protection. Yet phishing still works because while technology can reduce exposure, it can’t remove human judgment. Phishing has evolved with the...

Keep It Real 1: World Password Day – The Basics Still Matter

Keep It Real 1: World Password Day – The Basics Still Matter

World Password Day is 7 May. The problem isn’t awareness; it’s execution. Phishing is growing in both volume and sophistication. Messages now mimic suppliers, colleagues and trusted services with convincing branding, tone and timing. Often, attackers aren’t “breaking...

Talk to us today

Get In Touch

Discover more from Baskerville Drummond LLP

Subscribe now to keep reading and get access to the full archive.

Continue reading