Why should you, as a CIO, CISO, CAE, or in any leadership role, care about the details of user access reviews? A lot of companies do these types of access reviews and think they are fine with their current process.<\/p>\n
From the outside, it may appear user access runs smoothly, terminated employees are removed swiftly, and new users receive the correct level of access to the correct system. But start peeling back the layers, and you find there are many levels of user access you aren\u2019t considering. In our experience, this is the case more than 75 percent of the time.<\/strong> So, how can you improve user access levels and eliminate complacency in your company?<\/p>\n Can you confidently answer this question: Who has access to what? Then, can you answer that question for every critical system, database, and device throughout your company? Is the appropriate person completing routine reviews of detailed access reports? As much as it hurts to admit it, the answer is likely no.<\/p>\n Critical assets and information<\/a> often become vulnerable due to inaccurate access.<\/strong> User access is inherently risky due to frequent changes within the company and the human factor. People can unconsciously make a mistake or, in the worst case, be intentionally malicious.<\/p>\n The risk is much higher than necessary if given more access than required for their job duties. While the growing complexity of access management contributes to that heightened risk, so does the widespread complacency in managing user access.<\/p>\n