Why reviewing accounts regularly is crucial to data security

One of the most important aspects of keeping your organisation’s data safe is regularly reviewing all accounts with access to your systems. Poor account management is one of the leading causes of security breaches. These often result from weak access control, overlooked accounts, or a simple failure to follow basic security protocols. By auditing all accounts regularly, you can reduce the risk of unauthorised access and potential compromises.

Key points to keep in mind when reviewing and managing accounts

1. Follow the principle of least privilege
The principle of least privilege (PoLP) dictates that users should be granted the minimum level of access required for them to perform their role. This reduces the risk of unauthorised access or malicious activity within your network. It’s important to review permissions regularly to make sure no user has access beyond what they strictly need. When users change roles and no longer require certain privileges, their permissions should be adjusted promptly to reflect this.

2. Make sure passwords are appropriately complex
A strong password is one of the simplest, but most effective, defenses against unauthorised access. Encourage users not to use short, easily guessable, or commonly used passwords. Implementing a password policy will help with this. Whenever possible, enforce the use of multi-factor authentication (MFA), especially for high-privilege accounts.

3. Limit remote access to accounts that really need it
Remote access is a common target for threat actors. To minimise this risk, restrict remote access to those who genuinely need it. Review accounts with remote access permissions periodically, and revoke access for anyone who no longer needs it.  To protect remote connections, you should also consider implementing network segmentation and using VPNs, or other secure access methods, along with encryption.

4. Delete accounts that are no longer required
Inactive accounts pose a significant security risk. When an employee leaves, when contractors complete a project, or when a service is no longer in use, delete the associated accounts promptly. Otherwise you could be leaving doors open for attackers. Regularly check for dormant accounts and remove any that are no longer needed. This prevents them becoming vulnerable entry points.

5. Encourage the use of secure password managers
Storing passwords in insecure locations, like text files on desktops, is a dangerous practice that can easily lead to a breach. Encourage employees to use secure, encrypted password managers to store and manage their login credentials. This reduces the likelihood of passwords being leaked or stolen and makes it easier to implement complex passwords across the organisation.

6. Look out for accounts you don’t recognise or which seem suspicious
Regularly monitor and audit your accounts to identify any that don’t seem to belong or seem suspicious. This includes accounts with unusual names, permissions, or login activity. Suspicious accounts can be an indication of a compromised system or unauthorised access. Investigating these accounts promptly can help prevent further exploitation.

7. Review service accounts and their permissions

Service accounts often get forgotten in the broader account management process. These accounts typically operate with elevated permissions to run automated processes or manage critical system services. But, because they often cannot be secured with multi-factor authentication, they become prime targets for cybercriminals. It’s essential to ensure that service accounts don’t use default passwords. These are widely known and often published online, making them an easy target for attackers. Because service accounts typically have high-level access and are often not monitored closely, a compromise can go undetected and lead to serious security breaches. It’s also important to review service accounts periodically to make sure only necessary accounts are active – and that their permissions are as limited as possible.

8. Monitor account activity for unusual behaviour
Regularly monitor account activity for signs of unusual behaviour, like logins from unrecognised locations or devices, repeated failed login attempts, or sudden changes in account privileges. Many modern security tools offer automated detection of anomalous activity, which can help identify potential compromises before they escalate. For example, Solis' Managed Detection and Response (MDR) service continuously monitors your systems, detects cyber threats in real time, and responds rapidly to contain and resolve incidents before they cause harm.

Real-world examples of the dangers posed by poor account management

VPN access and service accounts
When investigating the causes of one recent incident, we found that VPN access for all users had been protected by two-factor authentication (2FA). So far, so good. But service accounts – which cannot use 2FA – also had access to the VPN. This made it easy for a compromised service account to access the environment via the VPN, without encountering additional layers of protection. This underlines the importance of reviewing access for all accounts, especially service accounts, and ensuring that sensitive systems are adequately protected.

Compromised domain administrator account
Another investigation revealed that a domain administrator account belonging to a former IT service provider had been left active long after their services had been terminated. The account had never been deleted and, unfortunately, ended up being compromised by a threat actor. The attacker gained complete access to the network and was able to carry out malicious activities undetected. This serves as a reminder of the importance of regularly auditing and removing access for accounts tied to former employees, contractors or third-party service providers.

Additional tips for account management

• Implement role-based access control
  Role-based access control (RBAC) can help ensure that individuals are only given access to systems and data directly relevant to their roles.
• Automate account reviews
  Where possible, automate account reviews and alerts to make sure you don’t miss critical audits or potential security risks.
• Educate users
  Make sure all your employees understand the importance of proper account management. This includes the secure handling of passwords, being able to recognise phishing attempts, unusual verification requests, and other suspicious activity, and understanding when and how to report these.

Conclusion

Regularly reviewing and managing all accounts is essential to minimising security risks in your organisation. By following best practices – like the Principle of Least Privilege, ensuring strong password policies, and staying vigilant about suspicious account activity – you can significantly reduce the likelihood of unauthorised access. Cybersecurity is not just about protecting data. It’s also about safeguarding your systems from the inside out. Regular audits can go a long way to ensuring that your environment remains secure, resilient and hard for attackers to exploit.