Granting employees admin status is convenient but risky
One of your employees needs access to part of your customer database so he can fulfill an urgent reporting request. You’re busy and this employee is trustworthy, so you grant him administrative status. Simple solution, right? You’ll revoke it later when you’re done with the other 600 critical things you’re working on right now. Right?
Not so fast. In reality, freely granting employees admin status is one of the most common mistakes enterprises make. Even if employees don’t have malicious intent — and the vast majority do not — this move still exposes companies to serious risk. An employee with full admin access, for example, can see everything but is also free to make changes to the code and configuration of your applications, thinking they’re just “tweaking” their personal experience.
A ton of important information can be accidentally deleted or altered with the click of a button. Granting employees admin status can also expose sensitive information. Plus, the more admin users you have, the more opportunities for hackers to break into your system.
In other words: more admins, more risk.
These are just a few examples that illustrate the importance of investing time in granting employees the appropriate permissions. You want them to access what they need to perform their jobs well, but no more. Of course, it makes sense for some employees to have administrator status, but you also need to have a smart system in place for determining who can access what.
It boils down to protecting your competitive edge. A lot of intellectual property lives inside your Salesforce and other critical business platforms. That intellectual property might be in the form of custom code, the workflows that drive your decision-making, or data that determines your next big product launch. It’s the secret sauce that differentiates your enterprise in the marketplace.
Allowing your employees — whether intentionally or not — to expose that information to the public represents a major competitive disadvantage, and it’s potentially risky for your customers. Just bad news all around.
Creating smart permissions and protecting your edge
While it’s certainly not considered a “security best practice” to freely grant employees admin status, this is a common occurrence. Think of the issue in terms of home security. You wouldn’t leave your windows and doors open and just rely on the good intentions of your neighbors to protect you from theft, right? It might be easier to never worry about locking your door on your way out, but that doesn’t make it a smart move.
Granting employees admin status is similar. Most employees want only what is best for the enterprise, but that doesn’t make them security experts. Locking down your checks and balances with admin access is low-hanging fruit, just like closing your windows and locking your doors.
Take the time to develop a system to grant proper permissions, and you can focus on more nuanced security risks, elevating your security posture to a whole new level. The following steps can help you get started:
1. Know your data. Perform a full data classification exercise so you know what data points are being stored in your CRM system and what you’re trying to protect. Group information into risk levels and the corresponding security controls required for protection.
2. Know your users. Create a system for tracking users and their access levels. Your data classification system can help you make informed decisions about how much access to grant individual users.
3. Educate your team. Communicate your classification system with your team so they are aware of data sensitivity and the steps required to protect it against inadvertent disclosure. Adding a color code to the system can serve as a visual reminder of the security risks associated with different types of data.
4. Create an effective permission set. Give different permission levels straightforward names so you know what information each set unlocks. By taking the time to create a thorough list of sets, it will be simple to grant someone the proper access, negating the impulse to make people admins.
Remember, you probably won’t be the last admin for your business. If you haven’t taken the steps outlined below, the next person to come in will go and create a permission set that allows them to do what they need to do, leaving the company with duplicate permission sets and exposed to a ton of security risks.
Making everyone an admin is common because it seems on the surface to be the easiest, quickest solution. But you could end up with a time-consuming, expensive mess on your hands if you don’t do the legwork up front to ensure you’re granting employees proper access.