Do you know how many of your users have admin permissions in your cloud productivity software? What about how many can edit documents stored in your cloud storage or an on-premises server?
File and access permissions can be a big cybersecurity vulnerability for a business if they’re not handled correctly. Who you let have access to files and cloud account settings matters, and not enough companies have a privilege policy in place that reduces their risk of a data security event.
74% of data breaches are caused by privileged credentials being compromised.
What’s a “privileged” credential?
This is a user login that has elevated access rights. For example, they may be able to delete files or access cloud account security settings.
When a hacker gets their hands on a privileged credential, they can do more harm to your business, like deleting files, planting ransomware in your system, accessing your user email accounts to send spam, and more.
A non-privileged credential may be a user that can view a file, but has no download, edit, or delete permissions. If a hacker were to gain this user login, their ability to damage your data would be limited.
What Are File Permission Types?
File permissions are the level of access a user has in relation to a file. File permissions can be added in multiple ways.
You can add them to individual files manually, to a folder (impacting all files in that folder), or use a security software protocol, like Microsoft 365 sensitivity labels.
File permissions generally apply to the file itself, but are also used in conjunction with user permissions. For example, User A may only have the ability to read a file, but User B may have permissions that allow editing that same file.
Standard file permissions when using something like FTP or a file directory are:
- No access at all
- Read access
- Write access (allows editing)
- Delete access
- Execute access (allows file to be used to run programs)
When it comes to data security and cloud software, additional security settings will usually include:
- Ability to copy a file
- Ability to share a file
- Ability to print a file
- Ability to remove a watermark on a file
- Ability to save a file
As noted, file permissions are usually combined with user permissions. This makes administration for security easier because instead of having to edit security settings for each user and file, users can be added to a group and file permissions can be set at the group level.
A good example of this is SharePoint team sites in Microsoft Teams. When you add users to a group (say, “accounting”), you can then designate any files stored in the accounting SharePoint folder to be accessible only to members of the accounting group as a whole.
You can also designate that another group can read the files but cannot edit them.
Why You Should Use the “Rule of Least Privilege”
One of the best practices for data security is called the Rule of Least Privilege, and it’s designed to reduce your risk in multiple ways.
If you’re not using file or access permissions and just giving all users a privileged access level, here are some things that can go wrong.
It’s Easier for Hackers to Breach Your Data
If you have 10% of your users that have privileged credentials, your risk of a bad outcome from a stolen password is much lower than if 100% of your users have privileged credentials.
77% of cloud account data breaches are caused by stolen login credentials. The more user logins you have that can access account processes, settings, and file activities like delete or execute, the more chance you’ll suffer devastating consequences from a stolen or hacked user password.
Higher Risk of User Error Problems
29% of data loss incidents are caused by human error. The more users you have that can edit and delete your files, the higher your user error risk goes.
Users can accidentally overwrite files, delete them, or delete entire folders. Many cloud services have deleted file retention limits, some as short as 30-days.
Easier for Automated Attacks to be Carried Out
Hackers will often use automated attacks once a database of passwords have been stolen or purchased on the Dark Web. If you have multiple users that have the permission to “execute” file program processes, it makes it very easy for these automated attacks to plant spyware, ransomware, or another form of malware.
How to Use the Rule of Least Privilege
The Rule of Least Privilege is easy to adopt and it can save you from suffering severe consequences due to a breach or user error.
It means simply to give each user the lowest permissions you can that still allow them to do their daily work.
What this would look like is a group of different file and account access permissions that are set up according to your business activities and user workflows.
Each user would be put at the appropriate level needed and you would end up with very few users that had the ability to delete files or access advanced account settings. This makes it much easier for you to add additional access protections to those few privileged accounts.
Need Help Setting Up Your User Privileges?
B-Comp Services can help your Denver area business put a strategic plan in place for file and access permissions that keeps you protected.
Contact us today to get started. Call at 303-282-4934 or contact us online.