Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.
+1 212 318 2000
Europe, Middle East, & Africa
+44 20 7330 7500
+65 6212 1000
A common problem that can be particularly troublesome for small businesses is what is known as "access creep." In a nutshell, access creep occurs when employees accrue access to more systems than their jobs require. This can happen when employees are promoted, transferred, change job roles, and so forth. It can also occur when employees share access logins and passwords with other employees at the company. Most of the time, there is nothing at all malicious about access creep; it is a natural consequence of personnel or company changes. Nonetheless, it exposes companies to significant risk of theft, destruction, sabotage, and leaks.
Here are a few simple steps you can take to reduce your company’s risk of access creep:
1. Prevent leaks. Use single sign-on products provided by IBM and Sun Microsystems. This allows employees to use one password—instead of having to remember several—to access what they need. It reduces the risk that employees will write passwords on sticky notes that everyone can see.
2. Change passwords frequently. Passwords should be changed every 30 to 60 days. This will reduce the risk that people will use others’ passwords. It is also a good way to automate the removal of ghost passwords, so former employees’ passwords will not remain active in the system.
3. Ensure that no two users are alike. Every employee, regardless of position, should have a unique user credential and password. This helps prevent access breaches and also makes it easier to identify a transgressor.
4. Terminate access. Make sure your access-control policy details how access is terminated when people leave the organization. Otherwise, former employees may have access long after their termination.
5. Audit, Audit, Audit. Every time an employee transition occurs, review that employee’s access privileges to make sure he or she is not still able to access old accounts or systems. As back-up, a company should also regularly audit each user account to make sure that the employee associated with it really needs access to all systems for which they are currently approved.
Founder and COO
Want to improve the way you run your business? Entrepreneurs, academics, and consultants from diverse industries offer practical advice on a variety of topics each business day.
To submit a tip for consideration, first check our archive of previous tips to make sure you're not repeating a tip someone has already contributed. Then send the tip to Small Business channel contributor Michelle Dammon Loyalka. Because of the volume of material she receives, she may not respond to each individual.