Be aware of who you give access to which data and services
To minimise the risk of accidents and misuse, it is important that everyone inside and outside the company only has access to the systems that suit the work and the period for which access is required. Extended access rights should only be given to those who need it.
Why this basic principle?
By limiting and determining access rights per employee, you prevent people inside and outside your company from accessing systems and data that they do not need to perform their work.
What should you do?
- Define per employee, or rather per role, which systems and data they should have access to in order to do their work. An overview or a rights matrix (in Dutch) is useful here.
- Next, ensure that an employee can log in to the systems and identify themselves as that employee with associated access rights.
- Use secure and strong passwords and arrange two-factor authentication (in Dutch) login for important systems and data.
- Limit employees' physical access to areas where systems run (such as servers) or devices (such as external hard drives and flash drives) and documents are stored.
- Make sure systems lock automatically after a few minutes so that they cannot be accessed by unauthorised persons. Also make agreements with employees that they will lock their system themselves when they walk away from their workplace.
- Make sure that access rights are adjusted when someone (inside and/or outside) takes up a new position or leaves the company. This is especially important in the event of a sudden (non-voluntary) departure of a system administrator. This also applies if you start working with, for example, a new supplier or accountant.
Useful formats for administering access rights can be found in employees' entry and exit (in Dutch).
Read more about the 5 basic principles of running a secure digital business.