No.3 - Control Privileged Access

In addition to the customer and employee-facing systems you operate - such as websites and email - you will have a lot of hidden infrastructure working hard for you. These are the directories, databases, file systems and routers that enable your IT to work. Whether this happens on-premises or in the cloud, someone has to configure, manage, and maintain these systems. If an attacker gets access to the accounts used to manage these systems, it can be game over — they have access to everything on your network.

Admin accounts should be very carefully controlled, with rigorous use of MFA, careful access management, and a record of when an account is checked out for use, why and who by. IT staff should not commonly use privileged accounts for email and web browsing — only when unavoidably necessary. Solutions vary from costly enterprise apps to the functionality built into cloud platforms to free key safes.