It's been a busy year in the cyber security arena so far, and it doesn't look like the pace will be slowing down. From hacking schemes like Heartbleed to significant data breaches at P.F. Chang's and the Montana Health Department, criminals are stepping up their game. But as organizations adapt their security strategies in kind, there is one key stakeholder who often goes unnoticed: the end user.
Most of the next-generation attacks we see today have external origins, however they are often exacerbated by people within the organization, particularly users with administrative privileges. This is because once malware makes its way to endpoints it doesn't just seek admin privileges, it requires them to embed itself in IT systems and propagate across machines, causing destruction over the entire organization.
While full removal of admin rights seems to be the obvious solution, it introduces significant implications for end user productivity. Users often require admin rights to do their jobs, even for the simplest tasks, like downloading software or connecting to a printer. For IT organizations in particular, restricting admin rights presents users with a major roadblock to effectively (and happily) completing their tasks.
So, organizations are faced with a seemingly impossible trade off: should security be optimized at the expense of the user?
Let's say that security is top priority, as it is for most enterprises, and the organization decides to restrict admin privileges on their systems. Getting pushback from frustrated users is to be expected, but it also impacts the IT department. When users' rights are removed and they're forced to go through formal processes for application or software downloads, it places greater burden on the help desk, which then has to deal with explaining these processes and supporting the users throughout. Adding to this is the financial burden of those unnecessary service desk visits.
Organizations should strive to find a middle ground, a way to administer control over their systems, while at the same time providing users with flexibility in their roles, and a positive working experience for everyone involved. Let's look at a couple ways this can be achieved.
Least privilege management
Instead of full removal, a least privilege environment can be established where users' rights to download applications or make changes to corporate machines are limited to those necessary for the scope of their job. This means that privileges are assigned to applications instead of users, and elevated only when needed. With least privilege, employees can log into systems as a standard user instead of an admin user, which prevents attackers from gaining access to privileged accounts and makes it more difficult for malware to take control.
Sign up for CIO Asia eNewsletters.