Keeping track of who has access to your online accounts
You live alone but can you list who has a key to your front door?
Your grown up daughter, your mum, the cleaner, the neighbour who feeds the cat, a former friend who house sat once while you were away and a builder friend that is half way through fixing your heating. That’s without factoring in the locksmith who cut three spare keys for you five years ago.
What happened to all those keys? Have you changed your lock recently?
As a single person business, you might think you are the only one who has access to your online accounts, but the occasional, casual and guest user on your account can add substantial risk to the security of your information.
Most single person businesses use IT support. It makes sense to outsource something that is potentially complicated and not your field of expertise . Do you know how many consultants access your account? Do they each have a separate admin account, or do they share one? If your friend has made a website for you on your laptop, do you know what accounts she has and what she is doing? If there is an incident and your computer has a problem, who instigated that problem? Unfortunately, this is still your problem.
On the Cyber Essentials verified self-assessment, question A 4.2 asks, ‘do you change your firewall password when you know or suspect it’s been compromised?’
Most single person or micro business will answer, “our IT company does it”. But are you aware that if your firewall password has been compromised, there is a possibility the compromise may of taken place via the IT support company.
Account creation and tracking is a very important part of understanding and controlling who has access to your network and your data; this is part of supply chain security. You need to maintain control of this and be able to demonstrate that you take this seriously.
Third party contractors aside, many sole traders truly believe they will never employ anyone else, so why would they have a process for creating user accounts? Yet work gets busy and things are hectic, next thing you know, there are 10 employees. It’s really about understanding how to run an efficient and secure business that is ready for change and growth. Cyber Essentials will help you implement controls to be better protected, you will also know what to consider if your business gets bigger -which happens a lot.
If you’re a micro company and that’s up to 10 people, you should definitely have a process for creating and tracking user accounts and ensuring account separation. This is best practise and essential cyber security. Cyber Essentials is suitable for organisations of all sizes, which means sole traders, micros and large organisations all answer the same questions. A single person business needs to understand the essence of good security and how processes will change if they grow bigger, so when they answer a question like, A 7.1 , ‘Are users only provided with user account after the process has been followed to approve their creation?’ they may clarify that they are currently the only one in the business but are aware of supply chain security and how things would change if employees came on board.
More guidance about answering the Cyber Essentials assessment questions for single person organisations is in development.
Learn more about User Access Control here