Privilege creep: Do your employees have more IT access than they need?

By James Ritchie

As employees move up and around in your organization, they likely end up with more responsibility, more influence — and more access to your IT infrastructure.

The phenomenon is known as privilege creep. As people switch roles in a company, they get login or admin privileges for new systems while retaining access to old ones. It leaves your organization vulnerable to data loss and theft.

“This is a huge problem, and a major potential gap as part of an overall security program,” said David Katz, leader of the privacy and information security practice group at Atlanta-based law firm Nelson Mullins Riley & Scarborough.

Experts say there’s a simple, if not necessarily easy, solution: The access audit. It means periodically — perhaps every six months — making sure that staff members can only get to the information and systems they need.

Privilege creep begins innocently enough. In addition to forgetting to take away old privileges, managers also sometimes choose to be liberal with logins and passwords so that employees don’t need to run to IT to get simple tasks done.

“Over time, it’s not uncommon to find that an employee has attained very broad privileges, which may not be in the best interest of the business,” said Dwayne Melancon, chief technology officer for Portland, Ore.-based cybersecurity firm Tripwire.

The consequences can range from mild, such as an employee looking at information from another project, to crushing, such as compliance issues resulting from illegal access to financial or human resources information. Some workers may also seek to take sensitive data with them when they leave the company, and unfettered access compounds the problem.

IT and human resources departments should work together to control privilege creep, Katz said. That means setting policies for what happens to accounts when employees are terminated, reassigned or promoted, and maintaining lists of who has what type of access.

Audits might take place anywhere from once a year to once a quarter, depending on “how dynamic the environment is, as well as the risks and liabilities that will be encountered if an employee gains too much authorized access,” said Paul Hill, a consultant with Boston-based network security consulting firm SystemExperts.

In small firms, decisions about access might rest with a designated security officer, he said. Larger organizations often delegate the review to each managing supervisor.

Companies operating in complicated or regulated environments do best with a centralized system that tracks all privileges along with who made approvals and when, Hill said.

Beyond data breaches, privilege creep can lead to less obvious but deeper problems within an organization, subverting systems of checks and balances.

“A single individual might end up with the authority to request, approve and grant a particular action or transaction,” Hill said.

If no audit has been conducted for a while, one approach is to start from scratch, revoking all privileges and determining who needs what, said Tim Parkin, an Orlando, Fla.-based online business consultant and president of Parkin Web Development.

“Businesses should never be shy about being aggressive in protecting and limiting access,” he said. “It’s always better to revoke access and see if someone notices or complains, rather than assume that a person needs the access they were given.”