A Cyber Attack in January caused wide-spread IT disruption at the British Museum, including gallery and temporary exhibition closures, as well as an inability to deal with ticketing transactions.
This was met, by me at least, with a weary sigh as it seemed like yet another large institution had been brought to its knees by a cyber-attack. However, the reality turned out to be something much more mundane – a disgruntled IT Contractor taking revenge after their services were terminated.
Cyber security is, rightly, a hot topic for any organisation. As the number of internet-connected devices and locations has proliferated it creates the potential for all kinds of malicious actors—often referred to as ‘Black Hat Hackers’—to infiltrate the IT environment and steal, destroy or steal then destroy confidential data and try to extort large sums of money to get it back. As well as these third-party active threats, firms must also protect against the accidental cyber breaches or errors by the IT team such as missing patches, not changing default passwords, these “Innocent” issues can be just as damaging as aggressive third-party actions.
However, while focusing on newer threats such as phishing, whaling, impersonation attacks and the strategies to mitigate them (such as Penetration Testing, Endpoint Detection and Response, Extended Detection and Response, Managed Detection and Response) the basics can be neglected, leaving organisations exposed to issues which could be mitigated through simpler strategies implemented thoroughly.
Below I outline some things to consider around your organisation’s approach to user access control.
HR Processes
Every IT team has had senior staff at their desk pushing for a new user account to be set up immediately, if not sooner, because they have recruited someone to start in their team but the information hasn’t filtered through to HR or from HR to IT. Having a well-documented and diligently followed process for a user’s journey through your organisation is key to ensuring that the risk of unauthorised access being granted is minimised. If you have access to a workflow solution that can trigger all the necessary steps in the correct order and to the correct people to action them this will simplify things; however, it needs to be underpinned by an unambiguous policy.
-
- Users should only be setup and allowed to access the system once you have verified their identity, right to work, and have a signed contract in place. HR are usually best placed to manage this and to lead on processes to ensure that you are not granting precious access to your environment to someone who isn’t who they say they are. Whether to allow users to access systems before their contractual start date is a business decision – but agree what that policy is and stick to it to avoid any issues around people having access too soon and then potentially walking away with data and no contractual comeback.
-
- Equally, if not more, important is IT working hand-in-glove with HR on restricting/removing access promptly when someone leaves or must have their access restricted for some reason. This is often just a matter of making sure that any system access is disabled as soon as the person’s contract has ended. With the proliferation of systems with (potentially) their own authentication mechanisms, this can be a major challenge. Implementing some form of Single Sign-On where available should minimise the risk as disabling the user’s main (often Azure) account can also remove access to other systems which use the same authentication system
-
- In more unusual circumstances, such as temporarily disabling access due to a disciplinary investigation or the need to lock out an account quickly due to an unexpectedly early termination of contract (as seems to have been the case at the British Museum), it is important to make sure that someone trusted is lined up to disable any access before the affected person is informed. Leaving a user alone to “tidy things up” before being escorted off the premises, or leaving them with the potential to access the environment remotely even though their dedicated device has been taken away is a gaping hole through which confidential data could be exfiltrated, systems could be tampered with, or inappropriate communications sent to colleagues and clients. Where the environment is managed by an external provider it is essential that you have a process agreed with them in advance to deal with departing staff members. For example, a request to lock the account at a specified date and time made via one or two named contacts to ensure that the work is completed correctly, and confirmation from them that the action has been taken. Simply logging it as a “standard” service desk job risks it being prioritised wrongly and not actioned in time, leaving the account accessible and vulnerable to misuse.
Prevention Strategies
Every IT team has had senior staff at their desk pushing for a new user account to be set up immediately, if not sooner, because they have recruited someone to start in their team but the information hasn’t filtered through to HR or from HR to IT. Having a well-documented and diligently followed process for a user’s journey through your organisation is key to ensuring that the risk of unauthorised access being granted is minimised. If you have access to a workflow solution that can trigger all the necessary steps in the correct order and to the correct people to action them this will simplify things; however, it needs to be underpinned by an unambiguous policy.
Role-based access controls
Historically, it was technically challenging to provide granular administrative permissions on a network, leading many organisations to just give their IT users (and sometimes others) full superuser/administrator level access as a quick fix. This creates a huge risk if that access is not audited and left in place for longer than needed. Most environments, including Microsoft Entra ID (formerly Azure Active Directory) and AWS, now include the capability to assign much more specific permissions through predefined roles. Following the Principle of Least Privilege means rigorously assessing what permissions a user needs to do their job and allocating only those needed and nothing more. Giving a user enhanced permissions “just in case” is short sighted and can leave your organisation at risk of someone exploiting those permissions.
Permissions Audits
Regular reviews of user accounts, the roles assigned to them and what permissions that allows provides a means to identify where processes might not have been followed and a sense check of whether someone whose role has changed might have an inappropriate permission set.
Audit log reviews
Modern, cloud-enabled authentication and access systems create a large amount of audit detail. Although at first glance this can seem overwhelming, regular checks, possibly using filtering to only identify high-risk activities, help identify where users may be using permissions that they were not intended to have.
Privileged Access Management
These solutions move beyond simply giving users granular permissions to implementing a time-based and request-based system which means that if someone wants to use one of their special privileges it must be granted for a defined period and, often, must be specifically requested and approved. Of course, this adds a time overhead to the task and the approvals process needs to be designed in such a way to minimise the chance of being bypassed by a pair of threat actors working together (one requesting, one approving); however, it inevitably includes auditing functionality to help identify any co-conspirators for further action.
Time Critical “Off-Boarding”
This is especially important when a member of the IT department who has enhanced access is leaving the firm. It is good practice to reduce the level of access the member of staff has as soon as their notice period starts. Any IT personnel with administrator access must have their accounts removed immediately on completion of work (seconds after logging out is best practice). Another significant challenge with IT teams is they often know the details of “common” global administration accounts or service accounts used for automation. These accounts are often a security loophole and a register of all of them should be kept (without passwords!) so that, in the event of a change of staff, all the passwords can be updated.
As always in IT, there is a trade-off between functionality and security – increase one and you reduce (or, at least, complicate) the other. However, as the British Museum found out, not having well designed and implemented processes in place might have meant a short-term gain in terms of time but the loss of visitor revenue and the public shaming of losing access to systems offset that gain very quickly
Matthew Riches
07777 597 025
Latest Articles
The wonderful, and slightly hidden, Windows shortcuts that can make your working day easier
If you work in a law firm, chances are your day involves juggling documents, emails, practice management systems, PDFs, and browser tabs - often all at once. Most people will do this by using the mouse, a lot of clicks, and occasional cry for help when something...
How Law Firms Can Communicate Securely With Clients, Without Compromising Ease of Use
For most law firms, the biggest communication challenge isn’t a lack of technology—it’s the balance between ease of use and security. Email remains the default channel because it’s familiar to clients of all ages (the so-called “silver surfers” are far more tech-savvy...
Baskerville Drummond Achieves Cyber Essentials Plus Certification for 2025
We are pleased to share that Baskerville Drummond has once again achieved Cyber Essentials Plus certification for 2025. This milestone reflects our ongoing commitment to maintaining robust, independently verified cyber security standards for the benefit of our...
Talk to us today
Get In Touch
