We often think of the end-user when it comes to cybersecurity risks, but in reality, Not for Profit system administrators can actually cause way more damage because of their “superpowers.”
This was the point of an email conversation I had recently with a CRM vendor who was trying hard to educate his customers about these risks.
No matter how much they spent on cybersecurity protection on their cloud-based solution, system administrators could very easily undermine everything they did and expose sensitive data.
This is because of their broad security rights to the system, or as I like to say…their superpowers.
Yet, rarely does the administrator commit this breach deliberately. Instead, it’s a common issue generally due to lack of knowledge.
What are common ways system administrators cause cybersecurity risks?
Here just a few ways that system administrators can expose their organisation’s data to greater cybersecurity risks, and what they should do instead:
- Sharing system logins and passwords – This is too common, especially when the organisation is trying to minimise software license costs.
- If you must share passwords, use a Password Manager tool!
- Failing to remove old administrators and users – This allows former employees to access the system and could also lead to a hacker obtaining access if the same user/login information was used for other compromised systems.
- System access must be removed at an employee’s departure or even when they take extended leave.
- Failing to make Multi-factor Authentication (MFA) the default setting – If MFA is available, turn it on as a mandatory setting for all users! Yes, some users will complain because of the inconvenience this may cause, but MFA is still one of the best ways to reduce cybersecurity risks.
- Failing to tightly control access to systems – Users should only have access to the information they need to do their jobs, and no more. Giving employees greater access rights (particularly admin rights) may reduce helpdesk requests, but it also adds more risk to the organisation.
- So, ensure user security roles are tracked and managed properly.
- Failing to control data downloads. There are rarely good reasons for users to download large quantities of data from a system. When this occurs, there is no longer an audit trail of what happens to that information, and it can be shared without notice and stored in insecure places.
- Administrators should limit who can download data and for what purposes. Admins should also review audit logs regularly to see who has done this.
- Sending data to others via email or other insecure ways. If data must be shared, particularly with third parties, too many times it’s shared in an email and as attachments. The organisation has lost control of the data at that point, and it is vulnerable in mailboxes.
- Only share sensitive data via secure file transfers or as a minimum, via a password-protected SharePoint folder.
- Microsoft system administrators (perhaps your Managed Service Provider) can also limit this if you have the right licenses and it is set up correctly.
Final Thoughts
It’s in the best interest of cloud software vendors to keep their systems as secure as possible. Unfortunately, an organisation’s system administrator can easily undo all this with their “superpowers.”
Knowledge is key to ensuring this doesn’t happen.
I regularly help Not for Profits with IT cybersecurity risk mitigations and investment decisions. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
- Why cybersecurity is making it riskier to be NFP Executives & Directors
- 3 Reasons Why Board Directors Should Do End-User Cybersecurity Training
- Will your Not for Profit be denied cyber insurance?
Coming Soon!
Cybercrimes are constantly evolving. Roundbox Consulting will soon release a new annual online cybersecurity training program, specifically designed to help Not for Profits with the latest knowledge to mitigate these risks. Let me know if you want to know more.
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.