It’s not your laptop
Welcome to the age of bonuses, benefits and rewards for mediocrity! We have come to expect a lot from our employer. Consequently, as well as expecting a hefty bonus, most candidates expect a new laptop as part of a a job package. The truth of the matter is that your company laptop really doesn’t belong to you at all. Even the most laid-back boss should realise that your laptop is just a tool to carry out your daily duties. Given the average staff turnover, companies wouldn’t survive if every new member of staff was given a brand new laptop. And, what would you do with the old ones!
This sense of entitlement extends into the realm of local access control. Most employees think it’s their right to install software and make unsanctioned changes on their corporate owned device. As the IT guy in numerous organisations, I’ve witnessed the look of utter disgust at even the remote suggestion of removing local admin privileges from users that simply don’t need it. To remove an employee’s access rights is the ultimate insult; a slap in the face by an untrusting boss! A pragmatist would surely disagree? How often do you really need to invoke those privileges? Do you really need to install additional software to carry out your job effectively? When you consider these questions, surely you would conclude that you don’t need elevated privileges at all. On the rare occasion new software is needed, a formal request would achieve this without any real disruption.
Why would you need additional software?
There are some genuine circumstances where you would need additional software. You may have additional learning needs and require some specialist software to carry out daily tasks effectively. Also, there may be a piece of software, which will increase productivity or streamline certain processes. In these instances, a formal request should be made to the appropriate authority. The decision for the adopting new software should follow a strict control process, where certain criteria is met. Is it secure? Is it compatible with the IT system. Will it be cost effective. Are there any known issues with the software, etc. Installing additional software should be treated as a project and therefore, not simply installed without due consideration.
Do you really need access?
Therefore, considering the facts there is no justified business need to have local admin access on your device. In fact, for day-to-day tasks nobody should be logged on as a local administrator; not even the authorised individual.
What is least privilege access?
The way least privilege access works is for all users to have a standard user account with no local user admin privileges at all. Authorised users would be given a second user account with local user admin privileges. The second admin user account would be used purely for authenticating administrative tasks and not to log on.
How does it work?
It’s a very simple concept. If a hacker does manage to gain access to your device, they will be limited by the same user access level as the current logged on user. This prevents them from making configuration changes and installing malicious software on your device. Similarly, an accidental click on a malicious link in an email will get no further than a login prompt and render the underlying executable file useless.
Make a difference
It is time that we all start adopting simple techniques such as this, along with some accompanying policies and processes. To support your company in this strategy, change your mindset from thinking that your company laptop is yours and realise that it is purely a tool to carry out your job. Therefore, you should never need to make unsanctioned changes to it. Be the pragmatist and don’t take offence!
You could save thousands!
This is one of many techniques available to help prevent the most basic cyber crime. It accounts for a large percentage of the overall number of successful cyber attacks in the UK. According to the Cyber Security Breaches Survey 2022, 39% of UK businesses identified a cyber attack within a 12-month period. It also suggests that less cyber mature organisations are underreporting, meaning that the statistics are likely to be underestimated. In addition to the obvious damage to reputation (another reason for underreporting), the approximate cost to small organisations is £4200. This figure is close to £20k for medium to large businesses.
Lead by example
Provided that you stick to the rules simple techniques, such as least privilege access could actually prevent expensive data loss. Your laid-back boss might change tack when faced with costs of thousands of pounds just to avoid an awkward conversation. Every organisation should have policies in place to help mitigate risks and User Access Control should be no exception. Having the rules, that each person should abide by, clearly laid out in a policy should prevent awkward conversations. The boss and indeed the authorised IT staff should lead by example. It’s much easier to explain and minimise distrust if everyone’s involved.
Cyber Essentials Certification
Gaining Cyber Essentials certification is an excellent way to ensure that you’re adopting these techniques and preventing a high percentage of cyber-attacks. Remson IT Support and Security Services offers a comprehensive audit and remediation service to help you gain Cyber Essentials Certification. You will be better placed to defend yourself against common online cyber threats and cement your trust with your clients. You’ll have a positive effect on the cyber-crime statistics and help eradicate common online threats once and for all.
Book a FREE Cyber Essentials Readiness Assessment now and start your journey towards a secure business.
For more information or to book your FREE assessment go to our Consultancy page or email us [email protected]. Use the advice in the article and adopt this technique before taking the assessment, it will really improve your score!