When it really comes down to it, running a business is all about people.
The only problem?
Even with the best will in the world, people can be a little bit unpredictable. And unpredictability is not something you need in a business.
In a world where all companies are relying more and more heavily on technology and IT infrastructure, having the confidence to know that your user access policies are water-tight can give you real peace of mind.
In this Plain English guide, a companion piece to our Cyber Essentials checklist, we’re going to take a deeper dive into user access control and discover exactly how it can help you gain the confidence – and control – you need to grow your team and your business.
Let’s get started.
What is User Access Control?
Cybersecurity is more important than ever before. As businesses grow more reliant on technology, so too do the number of potential vulnerabilities. In fact, according to a report by Hiscox, a small business in the UK is successfully hacked every 19 seconds.
That’s the kind of stat that makes you sit up and take notice.
As we discussed in our IT checklist, there are plenty of ways to keep your business safe, and one of the major focus areas is user access control. In a nutshell, this refers to the way you manage the users inside your network, the permissions they’re granted, and the access they have to your data and services.
User Access Control is one of the five controls (essentially a set of recommendations) provided by the government as part of its Cyber Essentials scheme to help businesses improve their IT security.
Want to know more about the five controls in the Cyber Essentials scheme? We’ve got you covered. Find them all in the first part of our handy Cyber Essentials checklist.
Best practices for user access control – 6 top tips for businesses
Before we dig into the details, here’s a quick question: would you be willing to hand your housekeys to a random person on the street? Or even just leave your front door unlocked all day long?
If you’re like most people, your answer will be a firm ‘no’ – and the very same logic applies to user access control in your business. Every time you add a user to your internal network, you’re opening yourself to a small amount of risk. Whether that’s human error or a coordinated cyberattack, you must think of your user access control policies as the keys to your business.
Here’s how to keep them safe and sound.
#1: Establish a secure account policy
The first port of call for any user access control policy is to ensure that permissions are assigned appropriately. After all, it’s usually not wise to give a temp access to the payroll files on their first day.
To avoid any potential breaches through lack of permission control, you should ensure that you have policies in place for both administrative users and standard users, too. Essentially, if a user doesn’t specifically need admin privileges to carry out their job, it’s far safer for cybersecurity to not have them enabled for the account.
Here’s what the government guidelines state on the Cyber Essentials website:
“Cyber Essentials Certification requires that you control access to your data through user accounts, that administration privileges are only given to those that need them, and that what an administrator can do with those accounts is controlled.”
#2: Manage your software installation policy
Another potential hole in your company security with insecure or unsigned software.
Through no malintent on their part, it’s always possible that your employees might install malware which could expose your network to serious risk. With more of us using browser extensions and installing smartphone apps, the so-called ‘surface area’ for attacks like this is increasing all the time.
But don’t worry – there are plenty of solutions.
One of the quickest to implement is a group user policy restricting the ability to install any third-party software on in-office machines. You can always create a list of approved software to give you the peace of mind of knowing only specific software can be installed within your network.
#3: Make your passwords as secure as possible
Sometimes, the smallest things can have the biggest impact.
Consider passwords: more of us than would likely admit it re-use the same password on multiple accounts. In fact, according to a 2018 study, a whopping 50% of us do exactly that.
Beyond the issue of re-use, the passwords we do choose can often be brute-forced relatively easily just for the sake of easier recall. So, what’s the solution? How can you ensure your team uses passwords which are safe and secure?
Thankfully, you do have a couple of options here.
First, you can implement internal password policies across the board requiring users to create passwords based on a secure convention that you approve (three random words intermingled with numbers, for example). Second, you could mandate that all staff use a password manager app to secure all of their work-related accounts.
#4: Set up device-based authentication
It’s only natural that some businesses will require different levels of security than others. If, for example, you’re working on high-level government contracts, (or you want to), you’re probably going to want security that’s as good as it gets.
It’s here that advanced options like device-based authentication come in very useful. As the name suggests, this works by allowing only certain devices into a network at all. If someone tries to access your network using a device which isn’t approved, the door stays locked. It’s really a “If you’re name’s not down, you’re not coming in” type of solution.
If this level of security is important to you, you’ll want to consider a Microsoft 365 option which includes a Microsoft EMS (Enterprise Mobility + Security) license.
The best part is that a license like this also unlocks a wide range of other security features you can make use of, like Microsoft Intune, which allows your team to securely use their own smartphones for work – even if sensitive data is involved.
#5: Take full advantage of Multi-Factor Authentication
We’ve talked about Multi-Factor Authentication (MFA) a couple of times on the Get Support blog, so let’s just focus on the big points here.
MFA is becoming a much more common means of protecting user accounts and it’s now available in a number of business software suites – including Microsoft 365 via Azure AD.
It also doesn’t need to be complicated. In fact, a simple two-factor approach of having your team approve their logins with their smartphone is enough to ward off the vast majority of cyber attackers. Don’t forget that they’ll generally target those with big holes in their security – even the smallest of measures can be a big deterrent. Path of least resistance, and all that.
#6: Limit access by IP address
One of the best ways to keep your IT security under control is to apply a geographical restriction to it. In the past, this might have meant stopping people from smuggling folders home in their briefcase – but how can you achieve it in the digital age?
One option is to restrict access based on IP address.
For the uninitiated, here’s a quick primer: whenever you connect to the internet, the device you’re using is assigned what’s known as an IP address to identify it on the network.
Most internet connections assign IP addresses dynamically, meaning they can change every time you reconnect. But many businesses choose to set up a ‘static’ (i.e. unchanging) IP address instead, and that brings with it a host of benefits – especially around security. With this setup, you’ll have the peace of mind of knowing that every device on the network has an IP address within a certain range.
From there, you can easily build a list of approved IP addresses. If someone, potentially a hacker, tries to access your network from an IP address which isn’t on this list, they can’t get in – and your network stays secure. It’s as simple as that.
How water-tight is your user access control policy?
With business taking place more and more in the digital realm, ensuring your user access controls are totally under control is more important than ever.
If you feel like your business has any potential gaps in your cybersecurity – whether around user access or anything else – the Get Support team is here to help. With decades of experience, our friendly team is always available to provide advice and practical help for building up your cybersecurity.
Want to learn how your company’s cybersecurity could be improved? Just give our team a call today on 01865 59 4000 and we’ll offer customised advice for your business – all in 100% plain English.
