IT departments are often met with employee demand for unrealistic levels of service and autonomy. This can be especially problematic when migrating to a least privilege environment. There are, however, steps that can be taken to communicate and convey the benefits of least privilege, reducing friction between end users and the IT department.
If you work in an IT-related industry, chances are, you’re pretty switched on to the risks of opening suspicious attachments or providing personal information on dodgy websites. But remember, within even an IT organization, technical expertise can vary greatly. Therefore no matter the organization type, the burden is on IT to ensure every employee be vigilant about the risks of being on the Internet. Encourage users to consider whether attachments and emails they receive are from trusted sources and explain the most common ways cybercriminals make their way into businesses. This, in turn, will help convey the value and purpose of taking a least privilege approach.
Drive Management Buy-in
To achieve successful backing from senior management, emphasize least privilege’s business benefits over purely security or technical gains. Key highlights include reduced IT support costs, increased productivity and compliance with industry regulations or standards (e.g. PCI DSS, HIPPA, SOX).
Employees might benefit from a portfolio outlining reasonable time frames for responding to software install requests and the business reasons for rejecting such an ask. This helps users realize their requests to download certain apps are not being ignored or backed up due to inefficiencies. Rapid request and feedback mechanisms can also help to wean employees off “fast food software,” which ultimately results in residual effects on others that the organization must plan for.
Develop policies on software and hardware
Internal app stores catered to specific organizations are becoming increasingly popular by offering users an approved selection of acceptable apps. To ensure malicious rogue apps aren’t downloaded, organizations can also restrict apps based on their download source, easing both IT and users’ fears of inadvertently inviting malware onto the system. This way, users are empowered to freely choose among a variety of options, while also ensuring the security of the network.
This is especially true for Gen Y workers who tend to have a work-style preference that organizations should encourage to promote productivity, rather than stifle. For hardware, specify a list of brands that users are permitted to purchase to minimize support and compatibility issues.
Combine with desktop refresh projects
Transitioning to a least privilege environment while also doing a desktop refresh project nearly always increases acceptance from end users, as an OS upgrade is almost always supported.
By rolling out a well-documented least privilege policy with proper education, users are likely to realize why it has been put in place, so organizations can properly defend against exploits. Ultimately, employees should understand how running as a standard user can increase productivity, improve the company’s bottom line and protect customer data.