Your Top Cybersecurity Risk

Do you know who in your organization has administrator privileges and doesn’t? Managing administrator privileges is a critical part of effective cybersecurity.
Discover more

Admin Privileges: Your Top Cybersecurity Risk

Do you know who in your organization has administrator privileges and doesn’t? Managing administrator privileges is a critical part of effective cybersecurity.

Pop quiz: who is considered an administrator in your business’ IT?

The answer, if you don’t know it, may surprise you.

Often, administrator privileges are given to anyone and everyone. By default, it’s considered the simplest way to set up new user accounts, as it ensures they can access everything they need without bothering a superior or contacting the IT team.

You may not realize that this is a serious threat to your cybersecurity.


What Are Administrator Privileges?

At their most basic, administrator privileges give users the ability to make major changes to a system, typically an operating system. They can access any and all files, change other users’ access rights, install new programs, disable security features, and more.

Are you starting to see why not everyone should have administrator privileges?

The Danger Of Over-Shared Administrator Privileges

The fact is that misuse of privilege is often one of the most common ways for cybercriminals to penetrate a network.

Hackers regularly take advantage of this highly common unsafe business practice by tricking a user with administrative privileges to download and run malware or by elevating privileges on a compromised non-admin account.

How To Effectively Manage Administrator Privileges

Limit Provision Of Administrator Privileges

Make sure to limit administrative privileges to those who require them.

The fact is that the common business user should not require administrative privileges to do their job—whether that’s for installing software, printing, using common programs, etc.

Track And Manage User Accounts

You need to have a carefully implemented process to track the lifecycle of accounts on your network:

  • Follow a careful process for how accounts are created for new members, how their security is maintained and verified throughout their life, and how they are removed when no longer needed.
  • Implement secure configuration settings (complex passwords, MFA, etc.) for all accounts.
  • Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity

Maintain A Strict Password Policy

Weak passwords are a common vulnerability exploited by cybercriminals. That’s why it’s so common that passwords are required to include uppercase letters, lowercase letters, numbers, and special characters.

However, recent guidance from the National Institute of Standards and Technology (NIST) advises that password length is much more beneficial than complexity. Consider using a passphrase when you combine multiple words into one long string of characters instead of a password. The extra length of a passphrase makes it harder to crack.

Protect Admin Accounts

Once you’ve limited privileges to only a few members of the organization, make sure their accounts have the right protections in place—complex, long passwords, multi-factor authentication, configure alerts for unsuccessful log-ins, and limit administrative actions to devices that are air-gapped from unnecessary aspects of your network.

Again, this control examines how different parts of your infrastructure are accessible by one another. The fact is that cybercriminals often gain access to sensitive data by first breaking into a much less critical part of the network. If those two parts were properly segmented via a DMZ, firewall, etc., they wouldn’t be able to.

Classify & Track Your Data

Simply classify your data for easy organization:

  • Level 1: Data for public consumption. Data that may be freely disclosed.
  • Level 2: Internal data not for public disclosure.
  • Level 3: Sensitive internal data that could affect the company if disclosed.
  • Level 4: Highly sensitive corporate, employee, and customer data.

Maintain an inventory of who has access to which levels of data and audit why that is necessary for the function of their role in the organization. Also, keep track of “stale data”—that is, data that hasn’t been accessed in some time. It should be archived and removed from your systems.

Don’t Give Administrator Privileges To Those Who Don’t Need It

The reality is that most of your staff members don’t need administrator privileges to do their jobs. Giving them to all users by default is simply an unnecessary security risk.

Make sure to audit your users and double-check that everyone has the “least privilege”; any given user should only have the degree of access required to do their job.