I’m CEO, I should have Admin credentials!

Admin credentials

“I’m in charge of the company, surely I should have Admin credentials for our IT systems?”

 

It’s fair to say we hear this comment/complaint a lot.  We take time to explain why it’s a really bad idea for the most senior person in the company to have ‘access to all areas’ of their IT systems, but often times we can tell they are unconvinced.

 

We will set out the reasons for this policy below, but firstly here are a couple of things that happened to two clients in the last fortnight.

 

Client 1 – Hit by Ransomware.

Client 1 came back to work on Monday to find their entire system locked out by ransomware. We were tasked with trying to recover their systems without resorting to them paying the Bitcoin demands in the ransomware.

 

Long story short, after a week and a half we were able to get them up and running again, although they had lost a lot of data.

 

Moreover, they had not been able to operate during the interim period.

 

Despite this they were delighted that we had been able to recover anything at all.

 

The frustration for us was that it was entirely avoidable and we had been warning them for years – no exaggeration – that this may happen. Why were we warning them? Simple – they disregarded all of our upgrade proposals including:

 

  • Server upgrade – current OS out of support from Microsoft making it a cyber risk
  • Anti-virus software (!)
  • Cyber hygiene training for staff
  • Implementing non-Admin privileges for all staff

 

These last two points were the kickers – one of their staff, with full Admin privileges on their PC – clicked a phishing email that led to the Ransomware locking out the entire company.

Client 2 – Ransomware near miss

 

Client 2 contacted us last week advising one of their major customers had been hit by ransomware. We ran some checks on our client’s systems and confirmed all was OK. 

 

The reasons they went unscathed were simple:

  • Good cyber awareness amongst their staff
  • Commercial anti-virus and anti-spam in place
  • No Admin credentials for any of their staff.

 

Simply put, Client 1 had repeatedly ignored our advice, and Client 2 had embraced it.

 

Admin Credentials – principle of least privilege

 

These stories lead us to the opening topic of this blog piece – Admin credentials. There is simply no need for anyone in a company to log into the system on a regular basis with Administrative credentials. The only time it’s needed is for maintenance and software upgrades.

 

If a user has Admin credentials, the software can be installed on their computer. This is how ransomware and other malware gets in. If a user is a ‘Standard user’ it’s much harder for malware to be installed on their system.

 

This is why the “principle of least privilege” is an essential element of any professional IT setup. And it’s why the CEO or head of the company, or anyone else in the company, should have standard access privileges only.

 

Indeed, the CEO, as the most visible person in the company, can often be targeted by hackers. All the more reason to have the least access possible!

 

We hope you have found this Blog piece helpful and please do contact us if you would like to find out more about the principle of least access.

 

 

Table of Contents

More Posts

Atari 800

My first home computer

The Atari 800 This is my latest blog piece delving into nostalgia of how IT was an integral part of my youth and upbringing. This

Send Us A Message