User access review best practices

Just because you can do something doesn’t mean you should, and user access reviews exist to make sure that most cannot. Let’s say you work for a large enterprise (like a financial institution) with a high-profile client (a Grammy-winning musician) who trusts your company with his/her personal information (like financial records). You have access to this Grammy-winning artist’s home address, financial history, and bank account number within your reach. Just because you can access this information doesn’t mean you should access this information.  However, there are some people whose moral compass doesn’t point north. They will take advantage of this type of situation for a variety of reasons. They could just be nosy and want to snoop. They could be huge fans and want to see how close they can actually get to this musician. Or - at the very worst - they could want to leverage this information to cause harm to the musician or the organization.  This possible risk is why user access reviews are critical to any organization’s data management and security practices. Let’s dive into what a user access review is, the risks of not conducting them, and user access review best practices. It looks at who’s accessing what, what level of access they have, and if they have valid reasons for access rights. This goes for all parties involved within an organization - employees and third parties or contractors.  If not reviewed periodically, privileged access can fall into the hands of bad actors, whether on purpose or on accident. The risks involved with the wrong person having access can be great and potentially disastrous for an organization and its reputation. 

Risks of inappropriate user access

There are inherent risks introduced when a user has access to a system, program, app, or network that they shouldn’t.

• Privilege abuse - Sometimes employees or third parties are given too much access and they can take advantage of that access - whether maliciously or unintentionally. In the 2021 Ponemon Institute report on third-party security, 74% of those surveyed cited the source of cyberattacks as granting too much privileged access to a third party. On the other hand, according to the Verizon 2021 Data Breach Investigations Report, 17% of data breaches are caused by miscellaneous human error. Either way you slice it, too much access can lead to a breach of private data and a breach of trust between your organization and its customers. 
• Employee or third-party termination - If an employee or third party is terminated but their access rights aren’t removed, they could still have access to large amounts of sensitive information, even after they’ve left the company. And if the departure isn’t pretty, a resentful grudge makes for great motivation for a former employee or vendor rep to take advantage of those active credentials during that termination gap. 
• Licensing costs - Organizations that don’t keep track of users who have access to certain systems are at risk of spending more money than they need to on system licenses and accounts. Depending on the type of system, one license could cost hundreds of dollars. If Sally in Accounting doesn’t need an Adobe Photoshop license, she shouldn’t have one. Make sure the right people have access to the systems they need - and nothing more.

User access review best practices

To mitigate these risks and keep your access management routine efficient and secure, it’s in your organization’s best interest to conduct periodic user access reviews. And if you don’t have regular user access reviews in place already, here are some user access review best practices to help you set up an efficient process. Be sure to also download our user access review checklist to keep as a handy reference.

Develop a user access review policy

Developing a user access review policy is crucial for any organization’s security. A thorough policy can help save an organization time and money while mitigating cybersecurity risks and protecting sensitive information. It’s best to consider policy development as the information-gathering stage of the process, with a lot of asking questions and finding answers. The main information to gather? Who has access to what, what is the most important information that needs protecting, who and what is most vulnerable to risk, and what software exists to mitigate those risks.  The development of a user access review policy should always be geared toward achieving a Zero Trust policy, meaning, a policy that allows users access to only the bare minimum needed for job duties. It’s a data-centric model that applies the concept of least privileged access to every access decision. Create a formalized user access review procedure Once your organization has determined a user access review policy that’s best for both business and cybersecurity needs, the next step is to create a formalized user access review procedure. This procedure will need to involve regular audits of user access, so there is always a record. The best user access review procedures include: 

• A consistent review schedule
• A consistent review of who has what user access permissions
• A record and ongoing document of all changes made within your organization’s system
• A regular check on employee’s current permissions to ensure they are appropriate
• A system that makes sure the right managers and administrators are handling these reviews

In addition, any formalized user access review procedure should implement both role-based access control and least privilege, or Zero Trust, access. While creating this procedure can seem like a lot, there are a variety of software programs that can guide an organization.

Implement role-based access control and least privileged access

One of the safest and most fundamental practices of cybersecurity is implementing least privileged access. This IT security design principle restricts access rights and program privileges to only those necessary for the required job. It’s the difference between having a key that works on every door and one that only opens certain rooms. When distributing those keys to users across your organization, you need to also practice role-based access control, meaning that the keys (or access permissions) should be given to users based on their role and responsibilities. For example, an employee in the Accounting department likely needs access rights to programs like Microsoft Office, QuickBooks, and Salesforce - ones that are needed for the job at hand. While they also might also need access to Adobe Acrobat, they don’t need access to every program in the Adobe suite, like Photoshop. This is where least privileged access and role-based access control work hand-in-hand.

Grant temporary, not permanent, user access

Automatic access and de-access based on user activity and employment is one of the best ways an organization can protect valuable and sensitive information. The Colonial Pipeline breach, which crippled the oil pipeline system and cost them almost $5 million, was caused by an old VPN and a hacked password. Crucial to implementing Zero Trust Architecture is utilizing only temporary access that stops after a given time has expired or after an individual has gathered only what information they need for a given task. Temporary access not only protects from the risk of internal users having too much access and possibly taking advantage of it, but it also protects from outsider threats that try to get into the organization through its employees. If you deny all access until it’s absolutely needed, you’re eliminating risk and protecting information from bad actors and inappropriate access. Similarly to how SecureLink Access Intelligence makes it easy to review user access, SecureLink Enterprise Access helps ensure a Zero Trust system for internal and external users.

Get the right people involved

In most cases, the IT team is responsible for distributing system access to users. And while we’re grateful for that, we acknowledge that they aren’t always the best ones to make the call on which users should access what systems. Managers, people leaders, and supervisors will have a much better idea of what individuals need access to specific programs. A CFO will know that an accountant doesn’t need the full Adobe suite, and the marketing manager will know who exactly needs access to Photoshop. The network and system administrators aren’t mind readers - and they shouldn’t be responsible for assigning and reviewing user access. Make sure the correct managers are responsible for reviewing user access permissions and assigning them to individuals based on their roles.

Educate your staff

While the above example should solve all user access review problems, we know that communication between departments and individuals isn’t always crystal clear. Ideally, there would be clear communication between leadership and IT as to what individuals should be permitted certain access. Since this protocol is likely not in your organizational structure, it will take employee training to educate your staff on how to best review user access rights. This involves implementing new practices of communication between teams, like timely turnover notifications, monthly access audits conducted by leaders, and updated reports to IT/systems administrators when changes need to occur. User access review programs are built to conduct these processes automatically and save your company the laborious manual work of auditing and reporting. When leadership prioritizes the security of a company, its employees, and its customers, it creates a ripple effect of accountability and security throughout the entire organization. Establishing these user access review best practices gets you one step closer to gaining back control over your access rights. Many companies have lost control over this, and it shows in their disorganization, inability to meet audit requirements, and ultimately, the cyberattacks they incur. While it may take time to break the current cycle of user access management, it’s worth the extra effort to protect your organization from the risks associated with a lack of control over user access rights. And if the effort seems too overwhelming for IT/security/systems teams (who already deal with hundreds of daily requests), user access review processes can be automated and streamlined with machine learning and artificial intelligence solutions that are built to manage access rights. These programs are specifically designed to audit access permissions and changes, pull audit reports so you don’t have to manually create them, and send access request notifications to the correct team members. There are even systems that track external access as well so you know which third parties/contractors/vendors are using which systems, how much access they need, and what they are doing while accessing your network.  If this kind of solution sounds too good to be true - it’s not.