As a small business owner, you’ve taken steps to protect your network from a costly data breach. You’ve invested hours in educating your staff about security and how to avoid falling prey to cyber-crime. You require employees to change their passwords on a regular basis, and have even banned them from using certain websites — including social media — that are likely to lead to a breach.

You have installed antivirus software, have a strong firewall, and encrypt everything that comes in or out of your network. You might even believe that you have thought of everything when it comes to securing your network — but there is a good chance that you overlooked one key piece of the security puzzle.

What Can Your Employees Do On Their Machines?

Imagine this: One of your sales staff discovers a great new app that helps her keep track of prospects and appointments. She downloads it to her company computer and begins inputting customer profile data into the app — without ever considering how the application handles security. At the same time, your marketing manager installs her personal copy of a graphic design program onto her machine for designing the company newsletter, and another employee, who studies computer programming in his spare time, makes changes to his machine’s settings to make it run faster.

While all of these activities seem harmless on the surface — after all, they all increase productivity and help employees do their jobs — each one is dangerous in its own way. And the only reason that any of these activities is even possible is that the employees have administrator level privileges on their machines.

When you purchase your own personal computer, you automatically have administrator privileges. It only makes sense — it’s your computer, and you have the right to do whatever you wish with it (within reason, of course). You can add software and applications, change settings, access any websites you wish, and generally have free reign over the machine. Since most home computers aren’t networked, or only networked with a few other devices within the home, a security breach, while certainly costly and inconvenient, isn’t likely to lead to significant data loss and issues with governmental compliance.

A corporate machine, on the other hand, often contains information and applications that could prove devastating to a business should it fall into the wrong hands. And when employees have unfettered access to the settings on their computers and can do whatever they wish in terms of adding or deleting programs, reconfiguring settings, and making other changes, the likelihood of a security breach increases considerably.

A Double-Edged Sword

In some small businesses, owners allow employees to have administrator privileges as a matter of convenience. It’s simply easier to allow employees the highest level of access than it is to constantly deal with a barrage of requests for new software or to install updates.

Yet that convenience comes with a price. More specifically, when everyone has administrator privileges, several problems can occur:

New configurations increase potential for malware infection. Virus protection is vital for keeping harmful malware off the network, but when employees change settings, it could compromise the effectiveness of that protection. For example, virus definitions must be continually updated, but when the settings are changed and prevent that from happening, new malware can get through.

Software creates possible licensing issues. Software piracy is a major issue in business, and those enterprises caught using unlicensed or pirated software can face stiff penalties. When employees are allowed to install whatever programs they wish on their machines, they could be in violation of licensing agreements, and the company can be held liable.

Unapproved software may be unsecure. Applications designed to store or process sensitive or protected data must meet specific security parameters; in the event there is a breach if it’s found that the software being used didn’t meet those requirements, a company could face stiff fines. When an employee with administrator privileges installs software without approval and uploads sensitive data, they could be creating a potentially dangerous and costly situation for their employer.

Employees are targets. Many criminals who attack businesses — both large and small — do so by targeting employees. Instead of attempting to hack in through a firewall, for example, they send malware via email, which grants them access. If the employer has administrator-level privileges, that attack could prove devastating; without those privileges, the attack is more likely to be unsuccessful.

Restricting administrator privileges is actually one of the easier methods of securing your business’s network and the data it contains. Reserve those privileges for the IT department or security team, and develop an approval process for new software or processes. The result will be a more secure network and a reduced likelihood of costly sanctions.


  1. But what can be done about it? Is monitoring software the right thing to be used in such cases? From my point of view such monitoring tools as Anturis or Nagios can sometimes be the only way to control what it happening in the company. What do you think?

Comments are closed.