Every (security) system with users has an administrator. That is the person who can and may do everything. Make changes, export, view everything, modify everything. The administrator is the boss. They have a lot of power and great responsibility. In principle, there can only be one boss. But is that always the case?
In practice, we regularly encounter situations where this is not the case and multiple people in an organization use the administrator login credentials or have been given administrator rights. Simply because it’s convenient and people are not aware of the risks it entails. I should note, however, that this usually occurs with smaller systems and not with large complex systems. In those cases, it is generally well-regulated.
Case study: who is to blame?
In an organization with a camera system, multiple people use the same (administrator) login for the camera system recorder. All these individuals thus have access to live and recorded camera footage. They can make unlimited adjustments or delete certain settings or images. This way, important evidence can be destroyed (intentionally or unintentionally). The system can even be rendered completely unusable. But who did it? All these people use the same login credentials, so even the activity log offers no solution. It’s always the ‘same’ person after all. It should be clear that this is an undesirable situation.
GDPR legislation extra incentive for user management
With the implementation of the General Data Protection Regulation (GDPR), there is an important additional reason to have your user management in good order. Personal data (including camera footage) should only be accessible to individuals who need to process it. And it must be traceable who did what and when. Incidentally, a thorough hierarchy in the user structure is not only (crucially) important in the business sphere. Even in private life, we often don’t have everything in order and multiple people (family members) often use the same login. Think, for example, of your mobile phone, Netflix account, or alarm system. Anyone who has the access code is essentially the administrator and can access everything. Consider carefully if that’s what you want…
Working with user groups reduces risk
With many users, it’s easy to create user groups. Individual persons receive their own login and can be added to a group with specific rights. Individuals can also be easily removed from the system by deleting the individual login. The other group members will retain their rights. However, removing users from the system remains a human action. An action that can be forgotten, resulting in old users retaining their login for a long time or even indefinitely. This is a serious issue and poses a significant risk to the system. By using a shared database, for example by linking the HRM system to it, the risk of this can be limited.
Password use remains a sensitive issue
And then there’s the issue of passwords. The complexity of these passwords is sometimes far from adequate. I still regularly encounter passwords like 1234 or 0000. The problem mainly lies with older systems that don’t require changing the default administrator password to more complex and longer ones. And then humans often prove to be lazy, and the default simple password remains. Until something goes wrong… The complexity and length of passwords really do matter. It also helps if passwords are always unique and non-repeating. Hacking programs simply try all possible password combinations of letters, numbers, and punctuation marks to gain access. The longer and crazier your password is, the longer it takes for them to get in. Files with millions of passwords are now available online; either hacked or simply because they are frequently used. Fortunately, there are also various tools available to make password management better and easier.
Take action
Users are everywhere; at work and at home. But not everyone needs to be able to do everything, and not everyone should have access to everything (consider privacy legislation). Therefore, think carefully about an appropriate user structure with a clear hierarchy. Newer systems often already point out the risks to us and guide us in the right direction, but with older systems, we are often the victims of our own negligence. Don’t wait until it’s too late!