Access control — determining who can access what systems, data, and functions within your organisation — is one of the most powerful security controls available, and one of the most commonly overlooked in small businesses. The instinct in a small, trust-based organisation is to give everyone access to everything and adjust later if problems arise. In practice, "later" never comes, and the result is an environment where any compromised account, any careless staff member, or any malicious insider has access to the entire organisation's data.
The principle of least privilege is the foundational concept: every user, system, and process should have the minimum access necessary to perform its function, and nothing more. This post explains how to apply this principle practically in a small business without significant complexity or cost.
Why Access Control Matters
Three scenarios illustrate the practical value of access control:
External attacker. A staff member falls for a phishing email and an attacker compromises their account. If that account had access only to the files relevant to their role, the attacker's access is limited to that scope. If the account had access to everything — including the financial system, the client database, and the HR records — the breach affects everything. Least privilege contains the blast radius of a compromised account.
Insider threat. A departing employee decides to take client data to a competitor. Their ability to do so is directly limited by what data they have access to. An employee in a client-facing role who has no access to internal financial records cannot take what they can't reach.
Ransomware lateral movement. Ransomware that compromises a standard user account and then attempts to spread across the network will be limited by what that account can access. A ransomware infection on an account with access to one file share is very different from one on an account with access to everything, including backup systems and administrative tools.
Understanding User Account Types
The most important distinction in user account management is between standard accounts and administrator accounts.
Standard user accounts can use applications, access their permitted files and services, and perform normal work tasks. They cannot install software system-wide, change system settings, or modify other users' accounts. This is the account type that the vast majority of staff should use for their day-to-day work — including IT staff.
Administrator accounts have elevated privileges: they can install software, change system settings, create and modify accounts, and access system-wide resources. Administrator access should be used only when specifically needed for an administrative task, and should be held only by those with a genuine operational requirement for it.
A common and dangerous pattern in small businesses is that every user has been given an administrator account by default — often because it was easier during setup, or because someone needed to install software once and was given admin rights that were never removed. Administrator accounts that are used for day-to-day work dramatically increase the impact of a compromise: malware running under an administrator account can do things that malware under a standard account cannot.
Role-Based Access: A Practical Approach
For a small business, role-based access doesn't require complex software. Start with a simple question: what does each role in the organisation actually need to access to do their job?
A receptionist needs access to the calendar and appointments system, email, and possibly a client-facing CRM. They don't need access to financial records, payroll, or the legal document archive. A fee earner in a law firm needs access to client matter files and the practice management system, but not necessarily to other fee earners' matters. A finance function needs access to the accounting system and financial records, but probably not to the HR system's salary data beyond their own.
Map roles to required access, then audit whether actual account permissions match. In most organisations that haven't done this exercise, the audit reveals significant over-provisioning: accounts that have access far beyond what their role requires, often because access was added at some point and never reviewed.
Privileged Access: Separation and Protection
For accounts that do require administrative or privileged access — IT administrators, system owners, senior managers with elevated system permissions — several additional controls are appropriate:
- Separate accounts for privileged tasks. A sysadmin should have a standard account for email and day-to-day work, and a separate administrator account used only for administrative tasks. If the standard account is compromised via phishing, the attacker doesn't automatically have admin access.
- MFA on all privileged accounts. If there is one account category where MFA is non-negotiable, it is privileged accounts. A compromised admin account is a compromised organisation.
- Audit logging of privileged actions. What your administrators do with their elevated access should be logged. This provides both a deterrent against misuse and a forensic record in the event of an incident.
- Minimal standing access. Where possible, privileged access should be granted for specific tasks and time periods, not held permanently. Just-in-time access models — requesting elevation for a specific task and having it expire — reduce the window in which a compromised privileged account can be misused.
The Joiners, Movers, and Leavers Process
The most common access control failure in small businesses is not poor initial provisioning — it is failure to maintain the access inventory over time. The joiners, movers, and leavers process is the operational mechanism that keeps access aligned with current roles:
- Joiners: New staff are provisioned with the accounts and access appropriate to their role — not a copy of the nearest person's access, and not everything. The role-to-access mapping done earlier provides the template.
- Movers: When staff change roles, their access is reviewed and updated to reflect the new role. Access from the old role that is no longer needed is removed.
- Leavers: When staff leave, all their accounts are disabled and eventually deleted on their last day — or before, if they leave under difficult circumstances. This includes not just the main business email account, but every service they had access to: cloud applications, the VPN, remote desktop, the building access system, and any supplier portals they used on behalf of the business.
A current asset inventory — as discussed in the second post in this series — is what makes the leavers process reliable. Without it, accounts are missed.
Further Reading
Access Control Is Prevention. Monitoring Is Detection.
Least privilege limits what an attacker can do with a compromised account. Continuous monitoring detects when a compromised account is being misused — unusual access patterns, accounts accessing data outside their normal scope, privileged actions at unexpected times. Your named analyst investigates these anomalies. Together, prevention and detection are far stronger than either alone.
Book a scoping call