We often think of the end-user when it comes to cybersecurity risks, but in reality, your Association’s system administrators can cause significantly more damage.
This was the topic of an email exchange I had recently with an AMS vendor who was trying hard to educate his customers about these risks.
No matter how much his company spent on cybersecurity protection on their cloud-based solution, Associations’ system administrators could very easily undermine everything they do and expose sensitive data.
This is because of the Administrator’s broad security rights to the system, or as I like to say…their superpowers.
Yet, rarely does the administrator commit this breach deliberately. Instead, it’s a common issue generally due to lack of knowledge.
What are common ways system administrators cause cybersecurity risks?
Here’s just a few ways that system administrators can expose their organisation’s data to greater cybersecurity risks, and what they should do instead:
-
Sharing system logins and passwords – This is too common, especially when the Association is trying to minimise software license costs.
• Better Practice: If you must share passwords, use a Password Manager tool. Ask your Managed Service Provider to help you set this up if you are
unsure.
-
Failing to remove old administrators and users – This allows former employees to access the system and could also lead to a hacker obtaining access if the same user/login information was used for other compromised systems.
• Better Practice: System access must be removed at an employee’s departure or even when they take extended leave.
-
Failing to make Multi-factor Authentication (MFA) the default setting – If MFA is available, turn it on as a mandatory setting for all users! Yes, some users will complain because of the inconvenience this may cause, but MFA is still one of the best ways to reduce cybersecurity risks.
- Better Practice: Make MFA a default for all administrators as a minimum, but preferably for all users.
-
Failing to tightly control access to systems – Users should only have access to the information they need to do their jobs, and no more. Giving greater access rights (particularly admin rights) to employees may reduce helpdesk requests, but it adds more risk to the organisation too.
- Better Practice: Ensure user security roles are controlled, tracked and managed properly.
-
Failing to control data downloads - There are rarely good reasons for a user to download large quantities of data from a system. When this occurs, there is no longer an audit trail of what happens to that information, and it can be shared without notice and stored in insecure places.
- Better Practice: Administrators should limit who can download data and for what purposes. Administrators should also review audit logs regularly to see who has done this.
-
Sending data to others via email or other insecure ways - If data must be shared, particularly with third parties, too many times it’s share in an email as attachments. The organisation has lost control of the data at that point, and it’s also vulnerable sitting inside of mailboxes.
- Better Practice: Only share sensitive data via secure file transfers or as a minimum, via a password-protected SharePoint folder. Ask your Managed Service Providers for options if you’re not sure.
Final Thoughts
It’s in the best interest of all software vendors to keep their systems as secure as possible. Unfortunately, an Association’s system administrator can easily undo all of this with their “superpowers.”
Knowledge is key to ensuring this doesn’t happen.
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around IT investments and cybersecurity risks.
Let her know if you need some help!
