By Line Thorsen Sieg June 11, 2024
Many of us have seen the cinematic masterpiece called The Lord of the Rings and can recall the scene where Pippin Took touches The Palantír (the glass orb looking thing with the eye of Sauron in it) and thus gave said villain an insight to his mind.
The bad news: Sauron knows everything Pippin knows. The good news: Pippin doesn’t know anything!
At first there is the panic when Gandalf thinks Sauron now knows everything, then there is the calmness of realising the ‘fool of a Took’ knows nothing that Sauron can use. If we compare that to real life: The panic of knowing your systems have been infiltrated, then the calmness of realising that the access is very limited and doesn’t cover any of the important parts of the IT system.
How many in your organisation needs access to the whole IT system out of the total number of employees? Not as many, is my guess.
This has nothing to do with not trusting people, it’s about making security checkpoints to give everyone peace of mind. The employees with little to no IT responsibility (and experience) are the ones who can unwillingly cause a lot of damage, causing them a lot of stress in fear of doing something wrong. Cybersecurity breaches are still stigmatised, and victims feel shame and try to hide the evidence. The role definition and access restriction are a safety net for them just as much as for you
You can even have multiple access levels depending on your needs and how your organisation is structured; user, management, IT-admin. If you think it seems like a lot of work to change the users’ access restrictions depending on their role in the organisation, then consider the amount of work you have to do in case of a breach in your IT system.
It is important to remember, that even with low access levels, a cyberattack can cause damage and should be prevented with the same amount of security, software tools, and awareness training.