3 Myths You Should Know About Access Reviews
Access reviews are crucial for keeping your business secure, so it’s important to be clear on what is and isn’t true surrounding employee privileges and how they can be monitored.It’s not always easy to know which of your employees should be allowed access to the systems you use—especially when so many data breaches involve a human element. Regularly reviewing personnel privileges can save your business from a costly cybersecurity incident, but how much of what we hear about access reviews is actually true?
We’re breaking down some of the most widespread myths about access reviews.
Myth 1: They Need to Be Performed Often
One of the most common misconceptions about access reviews is that they need to be performed quarterly or even monthly. This can make them feel largely overwhelming and difficult to keep up with.
In Reality
In most cases, compliance frameworks require access reviews to be done once a year at a minimum. PCI DSS 4.0 has a periodic access review requirement, but you will have to do it annually to satisfy the control. Both NIST 800-53 and HIPAA leave it up to you to create your own periodic schedule of access reviews.
Of course, yearly is a minimum requirement, and the more closely you monitor employee access, the better, but we recommend establishing a cadence that matches your bandwidth—whether that’s monthly, quarterly, or yearly.
Myth 2: They Are Difficult for Small Businesses to Manage
It’s easy to feel like access reviews require lots of documentation and labor to complete. Going through each of your employees’ privileges and authorizations can be time-consuming and expensive in labor costs.
In Reality
This is only true if your company hasn’t implemented things like role-based access control, temporary authorization, and least privilege. Let’s take a look at each of these and how they can streamline the access review process.
Least privilege: The Principle of Least Privilege (POLP) is the idea that employees should only have access to the minimum amount of privileges they need to do their job.
Role-based access control: This allows you to put POLP into action by monitoring employee access based on their role. For example, someone on the marketing team may have access to Google Analytics or the company’s social media accounts, while those in the finance team may not.
Temporary authorization: Many software services allow you to offer temporary access to your employees. This is especially helpful when an employee is working on a special project or needs access to something that’s typically out of their scope.
Even just one of these things can help organize your access reviews by keeping the information needed manageable and easy to find.
Myth 3: They Take Small Businesses Months to Finish
Many companies are easily deterred from completing access reviews because of the time it might take to complete them.
In Reality
The amount of time an access review takes is directly related to the number of employees your business has, applications that need to be reviewed, and people involved in the review—mostly because the process requires a look at each employee’s permissions. This means access reviews aren’t as big of a project for smaller businesses than they are for enterprise businesses. If you are a newer startup—or you simply keep your team lean—and you have about a hundred employees, access reviews shouldn’t take longer than a month or so.
Drata is built on trust, and that begins with being transparent about every step throughout the compliance process. Access reviews are crucial for keeping your business secure, which makes it easy to believe they can only be completed with an automation tool. The truth is, the access review functionality that’s on the market today may end up adding more work for some businesses.
For more industry insight, subscribe to Trusted, our bimonthly newsletter.