Cyber Security 101 – User Access Control

User Access Control

Cybersecurity and data protection can be confusing. There’s a wealth of information out there, but what’s good advice and what’s bad? And how do you get started once you know what you need to do? At CyberSmart, we believe that Cyber Security should be accessible and easy for everyone. So, we’ve put together a set of simple guides to help you get started, this time we’re talking user access control.

What is user access control?

Companies implement user access policies to regulate who can access the companies information or IT systems and outline the associated access privileges for users. The purpose of these policies/procedures is to prevent unauthorised access to your companies information and systems. Makes sense, right?

In reality, lots of companies don’t have formal user access policies or guidelines in place. Why? Because they don’t know what to do and where to start.

We at CyberSmart like to use a new starter as a reference point to make sure we cover everything in the user account lifecycle from the initial set up to changing job roles and ultimately, leaving the company.


Once a new starter joins, you will likely create a new user profile for his workstation, email account, data storage programs, cloud software, applications, etc. The best question to ask at this point is: What access does the user need to perform her day to day job?

Uncontrolled access to everything can be handy. We have seen many companies where everyone has access to everything, meaning that the risk is much higher to suffer a data breach because information can get lost, misused or get into the wrong hands.

Therefore, it is recommended to give your new starter less access to information initially. Over time you will both figure out what they need to do their job, and it is always easier to give more access later on than to review and remove access rights – think of shared Dropbox folders.

User identification

Every user should access your system with a unique user ID (such as email address or username) and a unique password. It is not recommended to have shared accounts as there is a lack of transparency and traceability in case of a data breach. If you have a business case for shared user credentials, we recommend using a password manager that stores login details and can be used by the entire team.

Once you have created new profiles, encourage your user to change the password to a strong password. A strong password is at least eight characters long, difficult to guess and consists of a combination of upper and lower case letters, numbers and special characters, like “2;u{DNG7Gbp”.

A difficult password to guess is also a difficult password to remember. Again, using a password manager solves this problem.

Ongoing user access management

An admin/founder/team leader should review your companies users and their access rights on a regular basis, ideally every six months or when a significant change to the business occurs. A simple spreadsheet or list is useful to have an overview and track users and their rights. In your CyberSmart Admin dashboard, you can see all your users and their rights, to make your job easier.

It is your user’s responsibility to prevent their user ID and password from being misused, which means that you should communicate that:

  • Users should not share their credentials
  • Users should store passwords in a secure place like a password manager and not on a sticky note on the screen
  • Change passwords when they believe they may have been compromised
  • Not give external parties access to your companies systems
  • Notify the admin/founder/team leader when they change roles and need different access privileges.

User deregistration

Once a team member leaves your company, make sure to remove all access rights immediately, ideally on their last day at work.

Back in our consultancy days, we have worked with a company where a bad leaver left the business on a Friday, and over the weekend he managed to transfer a significant amount of data outside of the company. The company didn’t revoke his access and didn’t notice it for months. Later, they had to report an incident and notify it is customers months after the employee left.

In case you need someone’s old user credentials, make sure that you change the password immediately after the person left your company.

If you have any questions around User Access Control or Cyber Security in general or just want to have a chat, drop us a line at

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button