Risks

• Employees have unauthorised access to sensitive files such as payroll records or personnel information.
• Sabotage, extortion or information theft.
• If there are no access controls, a hacker with insider access can see every file.
• Uninformed users are easy marks for social engineering. Restricting their access to information limits the damage that can be done.

What is access control?

Using a server computer, you can control who can access different files and folders, either on an individual basis or on a group basis. For example, Alex in accounts can see the payroll or all members of the HR department can have access to personnel records.

Access control tips

• Regularly review who has access to information and change access privileges as necessary.
• Limit the number and scope of administrative users.
• For consistency, allocate access on the basis of an individual’s role, not on a person-by-person basis. For example employees in the accounts department might need access to the book keeping system but the HR and Finance Directors need access to personnel records.
• Each employee should have their own user ID. They should be treated like office keys and not shared or compromised in any way.
• Make sure that all computers attached to the network require a secure log in and that they are all set to log out automatically if left unattended for more than a few minutes.
• Delete users’ access privileges once they stop working for the company.

Security tips

• Ensure that employees use strong passwords. Set up the server to require strong passwords and lock out users who don’t get their password right after a few tries.
• Educate users about the importance of passwords and the risks of social engineering.
• Consider using smart cards or fingerprint recognition.
• Change default passwords for things like backup clients, accounts programs, routers, wireless access points and so on.
• When you get rid of old equipment, ensure that it is securely cleared of any information including passwords.