Insider Threat Management

Coachable Moments: Privileged User Best Practices

Share with your network!

It can be hard to coach your peers, or “manage up” to people in technical leadership positions. Even still, there’s a major need to keep an eye on privileged users, specifically administrator-level users, as they have the highest levels of access to sensitive data in an organisation. If these privileged users become insider threats, they can have a much higher potential than the typical user to cause damage based on their level of access.

If you’re vigilant about the key indicators that can turn privileged users into insider threats, the next step is to enact the proper systems and coaching to prevent any potentially costly incidents from happening to your organisation.

Tie Secondary Authentication to Compliance Goals

Many admin users will understand the need to add a layer of authentication to shared accounts, including administrator and root accounts. If you do decide to implement a secondary challenge-response to specify a named-user account ID using forced ID tools, it may save on some of the implementation and overhead costs of an identity and access management solution (IAM) or a password vault.

Explain to your privileged users that secondary authentication is not intended to slow them down from doing their jobs, but rather as a preventative measure to protect sensitive corporate data. If you work in a highly regulated industry or are holding onto personally identifiable information (PII) from customers, the job of explaining such protections will be that much easier. Look to frame such discussions as a part of a larger conversation around GDPR or a relevant regulatory compliance framework, to show users how their actions are actively tied to the organisation’s compliance initiatives.

Regularly Audit Privileged Access

Over time, employees’ privileges can accumulate, regardless of whether these users actually need all of the privileges they’ve accrued. This type of “privilege creep” can be a very real thing for organisations that move quickly without regularly evaluating who has access to which areas of their servers.

For example, one medical device company found that they had 4x the number of privileged users with access to their Windows servers than they had originally designated. Sometimes, admins only temporarily require privileged access for the duration of a project or on-call rotation, after which the access can be revoked -- or people are no longer working on projects that require the level of privilege they hold.

Ask for your admin team’s partnership in identifying opportunities to use temporary credentials, or projects that have a finite timeline for privileged users. Generally speaking, applying the principle of least privilege requires that you regularly audit your servers to determine who really needs the access, and who does not. In cases where access is revoked, explain to the user exactly why this is the case, and which approval process is required to escalate his or her privileges for future projects.

Partner with Users on Data Handling & Awareness

As social engineering and phishing attempts get more and more sophisticated, it’s important to partner with users to understand when an identity or credential theft has taken place. IT identity theft incidents can be detected and neutralised much quicker when users have the means to flag unauthorised logins.

For example, an insider threat management solution with forced ID tools can keep track of authorised pairings of User IDs and client machines. If a user logs in to an endpoint from a client that is not paired to the user, they can receive an email and quickly identify a case of credential theft-in-progress.

Beyond credential theft alone, even the most responsible privileged users may give in to curiosity, looking at sensitive information they aren’t necessarily required to see. If user activity monitoring is in place and users are aware of how and why these policies are in place, they may be less likely to succumb to the urge to inappropriately view or share sensitive data.

More in the Coachable Moments Series

If you liked this article, check out some of our prior installments of Coachable Moments, which cover Application Installs & Updates, Personal Email Use at Work, and Cloud Storage & Remote Work. Share your own experiences, or areas you’d like us to cover in the future on Twitter @Proofpoint.