So much of our work is digital now that it’s hard to think of an SME that wouldn’t be severely impacted by a cybersecurity breach. Whether it’s a bank account or social media account, it all matters.
Cybersecurity isn’t just for high-tech global corporations. In fact, a lot of fraudsters intentionally target SMEs precisely because they’re easier to access than potentially more lucrative businesses.
The good news is that it’s easy to set up some pretty robust cybersecurity – and it shouldn’t take a lot of technical expertise or time. User access controls are one of the most important measures you can implement straight away, so I’ve put together this guide to help you sort it quickly.
What are user access controls?
User access controls determine who can access certain information and make changes in your computer systems.
Managing these controls will protect sensitive information and reduce the risk of unauthorised access – from both inside and outside your business.
Why are user access controls important?
Think of it this way: you wouldn’t give every employee a key to your office drawers or a company car. That’s not because they aren’t trustworthy, but because there’s just no need. Unnecessary access creates layers of unnecessary risk.
Here are four reasons why user access controls matter.
1) Protect sensitive data
Some information in your business will be strictly confidential, like HR records or payroll data. Controlling access protects this all-important information.
2) Reduce risks
Data breaches aren’t always malicious, but can still be problematic. For example, an employee might access payroll records and commit no crime, but could then share private information about another employee’s pay. This kind of disruption can affect a company’s workplace culture and create unnecessary extra work for human resources staff.
3) Maintain compliance
“Everyone responsible for using personal data” has a legal obligation to implement proper access controls under The Data Protection Act (2018).
Specifically, the Act says personal data must be “handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.”
4) Enhance accountability
Keeping track of who accessed what information and when creates a culture of accountability, something that’s vital for any SME.
Best practices for managing user access
So, we’ve looked at what user access controls are and why they’re important, but what do they actually look like in practice?
I’ll explain the basics of user access controls below and I’ll try to avoid making it overly technical.
Define roles and permissions
Roles and permissions are the building blocks of access controls. Roles are how you define different types of users, and permissions are the limits that you set for those roles.
Create user roles
Common user roles for SMEs are ‘admin’ (eg IT staff), ‘manager’ (heads of departments), and ‘employee’ (all other staff). When it comes to roles, keep it simple and try to avoid creating unique roles for individual employees.
Once you’ve settled on your roles, you’ll need to decide what each of them can access (their permissions) and at what level. Here’s what that might look like:
- Admin or full access: can create and delete files
- Edit: can make changes to files
- View-only or read-only: can only open files
- Restricted: can’t even open files
Least privilege principle
When setting access permissions, keep in mind the ‘least privilege principle’ – in effect, giving users the minimum level of access needed to do their job.
Being over generous with permissions ‘just in case’ can lead to unforeseen consequences.
Implement strong authentication
Access controls aren’t just for your internal IT systems, they also apply to your accounts with vendors, social media and other digital spaces, including your bank account.
To keep these accounts secure, there are a few simple steps you can put in place.
Use strong passwords
Passwords should ideally be at least 12 characters long and include a mix of letters, numbers, and special characters. Avoid common passwords (this report shares the 200 most common passwords) and set rules about regular password changes.
Enable multi-factor authentication (MFA)
MFA requires users to provide two or more credentials to log in, like a password and a randomly generated code that might be sent to their phone.
MFA can make a big difference in securing your systems. If you’d like more information about it, I’ve also written an article about MFA.
Regularly review access rights
Setting access rights is just the first step in the process. People start and leave jobs or change roles and you’ll need to update their permissions.
If you think of your access permissions as security fences, setting a regular schedule for reviews is like doing a walkaround to check for holes and gaps.
Conduct audits
Audits are times when you review roles and permissions. A quarterly schedule is suitable.
If you’ve had a period of high staff turnover, you might want to arrange an emergency audit. You might be surprised to see the gaps in your system after just a few months.
Update roles
As employees change roles, their access needs will change.
This is especially important if an employee changes teams. For example, if someone moves from HR to Marketing, you’ll need to make sure you remove their access to HR-specific private information.
Use access management tools
It can be much easier to set up, manage and update user access controls with some specially built tools and software.
- Password managers
Password managers generate and store your passwords securely, so you don’t have to remember a dozen different bits of random characters.
They also encourage users not to reuse passwords and can alert you to potential account breaches outside of your organisation. - Access control software
Consider investing in software that automatically manages user permissions. These tools can provide detailed logs of activity, simplifying your audits and monitoring.
Educate your team
Conduct regular training sessions to keep your employees informed about the importance of cybersecurity and safe practices.
You can cover topics like creating strong passwords, recognising phishing emails and handling sensitive information.
Simple steps to get started
If you’re feeling a little unsure about what to do next, the steps I’ve laid out below are a good way to start to get your access controls into shape.
Assess your current situation
- Make a list of all your sensitive information and where it’s stored.
- Review current access levels and identify any vulnerabilities. Check who has access to critical data and whether they still need it.
Implement changes gradually
- Start by updating passwords and enabling MFA. This can often be done quickly and with minimal disruption to your operations.
- Define roles and gradually introduce them, along with quick training sessions. Start with your most important files and systems.
Monitor and improve
- Keep a regular audit schedule and address issues as they come up. Use access logs and monitoring tools to keep an eye on user activity and detect any unusual behaviour.
- Stay up-to-date with cybersecurity threats and best practices.
A great first step
User access control best practices won’t make your SME immune to risks, but will do a lot to help you secure your systems.
Most importantly, remember that security is an ongoing process. Regular reviews, staying up-to-date with cybersecurity news and having at least one person dedicated to security will help you stay ahead of any threats.