Your files are your agency’s most important asset besides creative talent. Whether they are video, audio, text, or design files, they represent completed and in-process work products clients depend on, and your people have invested many hours in producing. They need protection from threats that exist externally and internally.
The ideal solution is restricting the access of files and applications to only those that need access. This restriction protects files if an individual computer becomes compromised by an external threat or an employee that errors or has malicious intent—delineating who can access what represents the benefit of granular user permissions.
What Are Granular User Permissions?
Granular user permissions allow IT administrators to customize who may access specific systems or parts of a database. Administrators may establish or remove users and often have predefined access levels to select. Those will run from full access for principals to more limited access for administrative personnel.
Why Are Granular Permissions So Necessary?
Your files are most of the value of your agency. Yes, it’s that simple. Protecting your files needs to be your first consideration. You are the center of creation; the creations are almost all of your value.
When the loss of a file with hundreds of hours invested in the campaign disappears, the losses can’t totally be quantified. On top of the hours paid to employees and contractors, your agency could lose a good client and expose itself to reputational risk. There is no low-cost alternative to a sensitive file loss.
What Could Happen if I Don’t Have Granular User Permissions?
Without granular user permissions, you tremendously expand the company’s risk profile. There is no such thing as “too safe” when it comes to sensitive data.
You can expose your agency to massive internal and external threats if you lack granular user permissions.
Some of those threats include:
- Cybersecurity incursions through malware or phishing emails
- The actions of a disgruntled employee
- Industry competitors accessing each other’s files
- Successful corporate spying events
- Destabilization of your customer base
Ask These Six Questions When Establishing Granular User Permissions
The best way to delve into granular user permissions is to identify the who, what, where, why, when, and how of its use. This simplified guide will explain how different levels of access work, how to configure for geography, and who is granted access.
How Do Granular User Permissions Work?
Established rules will require a sign-in by users to authenticate their identity. A password could be the simplest solution, but passwords are not enough to protect your sensitive data. Privileged management solutions come into play and increase the level of authentication needed for administrator roles, possibly requiring a token or two-factor authentication.
System access is another part of the “how.” What seems like a simple concept can be pretty complex when digging into the details. Server compromise can potentially happen in many ways, allowing the ability to transfer files, escalate privileges, or access the server.
Administrators may only need certain access permission levels as well, with some receiving full permissions and others just enough permissions to transfer files, not access the server itself.
Your clients also require permission to access their files and are given access only to their file folders with a password.
Who Will Receive Access?
You already know that granular user permissions define who has access to specific data or applications and that it is best to establish role-based permissions. An example would be a graphic designer who only has access to relevant files but not files in video editing. Another would be a database administrator granted access to all databases, but a web administrator who’s only given access to the servers they need.
Individual permissions could be set for each employee, which is massively time-consuming. If the IT team develops a backlog, employees might not get access soon enough, or an employee might leave and continue to have access for some period afterward. Access management solutions that define privileges make changing access a simple task. Permissions and rules can be changed at the press of a button, protecting the organization and preventing mistakes.
How Much Access Should Be Granted to Each User?
Granular user permissions start with a principle of least privilege. As someone joins the agency, they start with a role with the lowest level of access to systems unless otherwise specified. Permissions become more defined as the position is specified and adjusted appropriately. And admin might start at the lowest level of permissions and then expand with new duties or advancements within the agency.
Where to Set Geographic Restrictions?
Many agency employees may access systems from home or in the field with the remote work revolution. Additionally, clients are accessing files remotely and could be based anywhere. It doesn’t look suspicious for an agency to have multiple systems logging in from many parts of the country. No one can comb through all the logins to ensure they are legitimate and only come from employee or client locations.
However, granular user permissions can limit the number of locations allowed to access an agency’s sensitive files by forbidding areas where the company has no employees or clients. This restriction keeps out malicious hackers located in other countries. If your agency doesn’t have employees or clients in Germany, then no German IP addresses should be allowed to access your systems.
Additionally, restrictions on geography are placed on the extent of access users have outside of the office. Significant changes will not be allowed from thousands of miles away which could happen if someone’s laptop becomes compromised. Only a physical login to the server should be allowed.
When Should Each User Have Access?
Your staff typically doesn’t need 24/7 access to sensitive systems or files and should have limited or no access during off hours. Someone signing in at 3 a.m. should be considered suspicious unless they log in from another country while traveling.
Granular user permissions have the sophistication to customize not only levels of access but establish time periods for each. Those limitations protect your files from a threat that might go unnoticed for a substantial period.
Granular user access can also set access periods for a specified amount of time. If an artist comes in on contract for several months, permissions may be set to time out at the end of that period. An executive or salesperson traveling overseas could also be given access to login from that location for the extent of their travels.
Why Are Granular User Permissions Beneficial?
Where passwords act as insufficient protection from external and internal threats, preventing malicious access to systems involves upping the standard from just using credentials. The wrong person with the right credentials to access privileged files or systems can cause substantial damage. A simple phishing attack successfully carried out on your key people with high levels of access could open up access to client files, your server, and other client and employee information.
Granular user permissions significantly reduce the risk of external and internal attacks. Agencies that establish granular user permissions not only know what internal users are doing in the system but limit them to only the data and systems to which they need access. In doing so, the possibility of internal and external threats is dramatically reduced.
Can Granular User Access Grow with My Agency?
Yes, granular user access can easily grow with your agency. If new employees are brought in-house, contractors are used, or new positions are created, new rules and roles are easily instituted. If a new position in the company has specific access needs, add that role to the system.
The last thing your agency wants is a role to be missed and have full access, putting you at substantial risk, and rapid growth can do that. Fortunately, the ease of customizing and assigning roles assures this isn’t a problem.
Why Are Internal Employees Such a Concern?
It often isn’t the employee that is the most significant concern, but someone gaining access through an employee, whether directly through their laptop or desktop or phishing and keyloggers.
A two-tiered solution is the most secure protection. Start with limiting access to only what employees need to do their job so that external threats can’t access more than each employee.
Beyond granular access, your agency needs to institute other policies that help prevent any access at all. Start with a requirement for robust passwords and train employees to identify malicious emails, which could be phishing attempts or malware.
Access limitations can go even further; two-factor authentication is one option. Two-factor authentication requires entering the password and sending a code to the employee’s cell phone or email address.
Internal employees do sometimes constitute the threat themselves. A malicious act can come from a disgruntled employee or one engaged in corporate espionage.
Can I Block Access to Websites with Granular User Access?
Yes, granular access can apply to blocking specific websites. An easier way to achieve this is only to allow access to specific websites. First, ask yourself why you want to take such a step.
Employees have a personal connection to their workstations and feel unnecessarily constrained when unable to visit websites. It makes for considerable dissatisfaction and feelings of being distrusted, especially among your agency’s creative employees.
If you’re considering limiting access out of fear of malware or viruses, it’s better to trust your anti-virus software.
What Are the Consequences of an External Intrusion?
An external intrusion can be as simple as locking someone out of their system or trying to trick them into calling and paying someone posing as a major tech company. Still, there can be other attacks that are far more detrimental.
These risks include:
- Data deletion: Yes, an attack can be purely malicious without the intent of making money, simply deleting data. A loss of the agency’s work and client files would be devastating.
- Data theft: Information relating to your employees or clients has value, easily sold by hackers on the dark web. You’ll probably never know if the data was stolen and sold.
- Ransomware: Probably the most destructive act; it has become widespread, and the ransoms are very high. A malicious program infects one system and then spreads throughout your entire network, shutting everything down. Your files and data are held hostage unless you pay a ransom, and ransoms can range from tens of thousands to millions of dollars. While emergency IT support resolves many ransomware cases, many ransoms end up paid, and no assurance exists that the data isn’t used for other purposes.
Any intrusion brings reputational and legal risk to your agency.
Are Granular User Permissions a Standard Protocol?
Absolutely. Any robust IT security plan includes granular user permissions regardless of the company. Your data and work product represent the most significant value in your agency.