One MSP or IT company might serve hundreds of customers so a well-timed and thought-out attack can be extremely profitable.
One of the key control areas within cyber resilience is that of user access; making sure only the people that need access have access.
But what happens once that user no longer needs that access?
And if that user has an Admin account does this increase the risk?
Let’s call our hypothetical admin user Jessie.
So, a cybercriminal can get the credentials from the darknet and log in to the system, navigate to the cunningly hidden password spreadsheet and then access everything?
Um...
As Jessie has just transferred internally no one has thought about the permission that they have and maybe if they are still required. This means that the admin account is still active months after it should have been.
Jessie doesn’t mind because it allows them to download software without having to bother anyone about it, even from unapproved stores.
And as Jessie is still working internally, and using their account as usual, when someone else logs in using their credentials, it goes unnoticed.
HR and IT didn’t talk to each other so again Jessie’s accounts weren’t deactivated, leaving the access open to anyone. The change in activity levels might be picked up by logging if the break in activity was registered as a new baseline, rather than assuming Jessie was on holiday.
There is also the risk that Jessie didn’t leave the company on the best terms and maliciously tries to use his credentials, which they find still work. They go and delete key information, encrypts that master password spreadsheet or installs some malware.
Finger's crossed that any IT company wouldn't have an admin users who doesn't know or appreciate the fundamentals of cyber security but in our scenario there’s some bad practice that Jessie’s company needs to sort out for everyone.
The ECRC is a police-led, not for profit organisation which companies can join for free.
Our core membership provides:
Click to Open Code Editor