Who’s in charge? The need for third party (and internal) admins

We frequently receive requests from clients to grant administrative access to third parties or internal staff. Third parties often need some form of access to manage the application they are responsible for, and internal admins sometimes assist with running IT. ABT will generally be hesitant to provide these administrative credentials. Here is why.

Ultimately, we sign a contract with you where we take on responsibility for your network. We take this very seriously and run your IT like it is our own. We employ skilled staff, vetted for their abilities, security posture and personalities, and train them to develop their competencies and keep their knowledge up to speed. Surely there is the occasional mistake, and when that happens, we have a team of 40 staff and the backing of an industry channel to resolve the issue. And, very importantly, we have our staff sign NDA’s, so your data is protected.

Once we give “others” access to your network all of that is in vain. We do not know the people behind the often un-personal accounts we are to create. We do not know their skills, their level of risk-aversion or willingness to admit they did something wrong. Our systems and processes are kept protected with industry grade security standards. We are not saying we cannot be breached, but the chance is slim. Can your third party say the same? Remember they are only responsible for their application but can break your whole network, whilst they may not know the first thing about networks or servers.

And then the internal admins. We understand it is important for owners to have some level of access beyond that of the MSP. That completely makes sense. But to have an internal staff member have a fully operational domain administrative account or Office 365 global admin account often provides a risk. It is like going to the dentist and bringing your own drill. Of course, we get you to sign a document that waives all our responsibility in case something goes wrong, but we would rather not have to use that excuse. And don’t forget internal admins typically have access to all data, all email in your organization, including financial, salary and executive information.

In general, we will only provide the minimum level of administrative access required to get the job done for your third party or internal admin, and have these account have limited expiry dates. Ideally:

  • We don’t give our any administrative credentials other than an emergency admin account (the “break the glass” account), provided to the business owner “just in case”. Use of this account will be monitored.
  • Third parties can do their work while we log them in and look over their shoulder.
  • Your internal admin will have to trust us to do our job, and if access is required, only a limited level of access is granted.

Please understand we are not here to make your work harder, these measures are to protect you (and ourselves….)

How can we help protect you?

The security landscape continually changes. New vulnerabilities and threats are discovered all the time. It is important for you to know that you can rely on ABT to protect you as well as possible.

It is a little bit like protecting your home. 100% guaranteed security is impossible, but if you take all the recommended precautions (lock all your doors and windows with proper locks, have a working alarm system (or a noisy dog) and leave a light on if you go away for a while) you may just have enough deterrent for someone with bad intentions to skip your house.

Data and Information security is no different. Some of the mitigation strategies you can use are:

  • Ensure Multi-Factor authentication is enabled and use it.
  • Have a strong password that you do not use in multiple places.
  • Let us manage Microsoft Windows Updates on your workstation so it is kept up to date.
  • Always make sure an email is from a trustworthy sender.
  • Never click on a link in an email asking you to log in to something.
  • Make sure your important data is always backed up.
  • Limit the third party and internal administrative accounts on your network.
  • Use a VPN (Virtual Private Network) to connect to the office when you work remotely.
  • Do not use public Wi-Fi when you are connecting to company resources.
  • Stay away from “Social Logins”, for example where Facebook allows you to log in to a service giving the service access to your data and email.
  • Use a password manager to store all your credentials, rather than saving them in your browser.
  • Limit revealing personal info on social media. The posts where people share their first concert, favourite restaurant, the name of their pet and where they met their significant other may be interesting to see for their friends, but it also provides data that can be used to access accounts.

Our security specialists can assist you with performing an extensive security audit on your systems to reveal vulnerabilities you probably were not aware of. Preventing information breaches to occur is better than going through the very costly remediation and restoration required after a breach.