Understanding the dangers of ‘Permission Creep’

Imagine a situation where a member of your Operations Team is going on holiday. Because they work on a number of projects that all need to be progressed in their absence, they share their Outlook mailbox and their OneDrive files with a colleague, or indeed their whole team, so that others can keep an eye on client communications in their absence.

When they return from leave, they are busy catching up with an overflowing inbox, and don’t think about the sharing action they took before their two weeks supping Pina Colada’s on the beach.

A year later, that colleague is promoted to Operations Manager, and 18 months later, having excelled in their role, they join the Senior Leadership Team as Head of Operations. In their new role, they have access to HR records for the whole Operations Team, and they are frequently copied in on emails concerning the sensitive nature of Leadership Team discussions.

But the colleague they worked with previously, now a little aggrieved at being passed over for the same promotion, still has that historic access granted, and is happily checking in on the inbox of the new Head of Operations, every day, unnoticed. Unwittingly, sensitive data is being shared with people inside the organisation, who haven’t actually done anything wrong in terms of cracking passwords are stealing identities – they are simply using the access privileges no one remembered granting to them in the first place.

This is an example of “Permission Creep.” Permission creep refers to the gradual accumulation of excessive user permissions within an organisation’s IT environment over time. As employees change roles, gain new responsibilities, or switch departments, their access requirements evolve. This can result in accumulating additional permissions that are not revoked when they are no longer needed. Over time, this can lead to a complex web of access rights and create potential vulnerabilities that malicious actors can exploit.

How do I reduce the risk of permission creep?

  • Conduct quarterly reviews of who has access to mailboxes and sensitive folders
    You can export reports from your Microsoft estate, which show who’s inboxes are shared with who, and you can create reports to show a list of who has access to critical folders, such as HR or Finance records. These reports should be reviewed quarterly, to quickly check that everything is as you would expect it to be.
  • Always conduct and access review when a colleague changes role internally
    When a colleague is promoted or changes job, consider them as if they were a new user to your organisation. Review what access they now need, as well as historic access that should now be revoked, and review the settings on their individual mailbox, OneDrive and SharePoint settings.
  • Consider using Role Based Access Control
    RBAC is a framework that assigns IT privileges based on a pre-defined criteria for given roles within your organisation.
  • Security Awareness and Training
    Educate employees about the risks associated with permission creep and the importance of following access control policies. Regularly train staff on safe computing practices, including password hygiene, data protection, and the potential consequences of unauthorized access.

Customers of ramsac’s secure+ service will already benefit from quarterly access reviews as part of the expanded range of security monitoring and alerts. Talk to one of cybersecurity team or your ramsac relationship manager for more information.

Brochure: secure+ from ramsac

secure+ is a proactive cybersecurity monitoring service designed to hunt for signs of malicious activity or potential cyberbreach, ramsac then takes action to prevent damage from being done.

Related Posts

  • Social Engineering: The 7 most common tricks cybercriminals use (and how to stop them)

    Social Engineering: The 7 most common tricks cybercriminals use (and how to stop them)

    Cybersecurity

    Discover the top 7 social engineering tricks cybercriminals use to manipulate people into giving away sensitive information, and learn practical steps to protect yourself and your organisation from these [...]

    Read article

  • Protect your organisation with secure+ from ramsac

    Protect your organisation with secure+ from ramsac

    Cybersecurity

    Protect your organisation from evolving cyber threats with ramsac's secure+ A proactive monitoring solution designed to safeguard your systems, data, and reputation. [...]

    Read article

  • All you need to know about software vulnerabilities

    All you need to know about software vulnerabilities

    CybersecurityTechnical Blog

    Understanding software vulnerabilities is crucial for staying protected in an ever-evolving cyber landscape, where unpatched weaknesses can open the door to serious security threats for individuals and organisations alike. [...]

    Read article

  • Why your printer might be the biggest security risk in your office

    Why your printer might be the biggest security risk in your office

    Cybersecurity

    Think your office printer is harmless? Think again. Printers store data, connect to networks, and often have default passwords that cyber criminals love. Don't let your weakest link be the [...]

    Read article

  • The importance of cybersecurity contingency planning for businesses

    The importance of cybersecurity contingency planning for businesses

    Cybersecurity

    Protect your data from cybercriminals and minimise downtime with an effective cybersecurity contingency plan. Read on. [...]

    Read article

  • How to Spot a Scam HMRC Letter 

    How to Spot a Scam HMRC Letter 

    Cybersecurity

    Learn how to spot fraudulent communications, like fake HMRC letters, and take steps to protect your personal information and finances from scammers. [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?