Contributor:
Paul Kenyon
December 20th, 2012

5 Ways to Manage the Social Impact of Least Privilege

IT departments are often met with employee demand for unrealistic levels of service and autonomy. This can be especially problematic when migrating to a least privilege environment. There are, however, steps that can be taken to communicate and convey the benefits of least privilege, reducing friction between end users and the IT department.

Educate Users

If you work in an IT-related industry, chances are, you’re pretty switched on to the risks of opening suspicious attachments or providing personal information on dodgy websites. But remember, within even an IT organization, technical expertise can vary greatly. Therefore no matter the organization type, the burden is on IT to ensure every employee be vigilant about the risks of being on the Internet. Encourage users to consider whether attachments and emails they receive are from trusted sources and explain the most common ways cybercriminals make their way into businesses. This, in turn, will help convey the value and purpose of taking a least privilege approach.

Drive Management Buy-in

To achieve successful backing from senior management, emphasize least privilege’s business benefits over purely security or technical gains. Key highlights include reduced IT support costs, increased productivity and compliance with industry regulations or standards (e.g. PCI DSS, HIPPA, SOX).

Be Transparent

Employees might benefit from a portfolio outlining reasonable time frames for responding to software install requests and the business reasons for rejecting such an ask. This helps users realize their requests to download certain apps are not being ignored or backed up due to inefficiencies. Rapid request and feedback mechanisms can also help to wean employees off “fast food software,” which ultimately results in residual effects on others that the organization must plan for.

Develop policies on software and hardware

Internal app stores catered to specific organizations are becoming increasingly popular by offering users an approved selection of acceptable apps. To ensure malicious rogue apps aren’t downloaded, organizations can also restrict apps based on their download source, easing both IT and users’ fears of inadvertently inviting malware onto the system. This way, users are empowered to freely choose among a variety of options, while also ensuring the security of the network.

This is especially true for Gen Y workers who tend to have a work-style preference that organizations should encourage to promote productivity, rather than stifle. For hardware, specify a list of brands that users are permitted to purchase to minimize support and compatibility issues.

Combine with desktop refresh projects

Transitioning to a least privilege environment while also doing a desktop refresh project nearly always increases acceptance from end users, as an OS upgrade is almost always supported. 

By rolling out a well-documented least privilege policy with proper education, users are likely to realize why it has been put in place, so organizations can properly defend against exploits. Ultimately, employees should understand how running as a standard user can increase productivity, improve the company’s bottom line and protect customer data.

 

More from the Blog

Related technology and security insights

  • 16
    Sep
  • Story related

    Building bridges to a more connected security environment

    For a long time, the threat intelligence landscape could be likened to an archipelago; a collection of islands. There were a few bridges here and there but the various islands remained largely inaccessible. It became clear, however, that in this ...