“Why can’t I be the admin of my own computer?”
It’s a question that everyone who works in IT dreads being asked. Admin privileges are a useful thing to have, after all. They’re required for major system changes to a device, which can cover everything from editing files to downloading software. It can get incredibly frustrating to have to call up your IT provider just to have them type in a passcode. When your role requires regular software downloads, it makes sense to want to ‘cut out the middle man’ so to speak. After all, what’s the worst that can happen?
Principle of Least Privilege
No two IT providers are exactly the same–we’re all special little snowflakes like that. However, like snowflakes, that’s almost impossible to tell when you aren’t an expert (and even then, you have to get really close). Many of the basic principles of IT and cybersecurity are shared among various providers. One of those principles is that of least privilege. Essentially, least privilege is the idea that each user should have the least amount of privilege necessary to get their job done. Some end users may require admin-level privileges to complete their work, but the vast majority do not.
The goal of the principle of least privilege is to limit the damage that any one account can do to a system. That damage could be the fault of the end user, like if they deleted an important file or downloaded malware to the device. In many cases, the end user is not at fault, and their account was compromised by a threat actor. Whatever the scenario, it’s one that could have been limited or even prevented by the principle of least privilege.
For each additional admin account on a device, that device’s exposure to threats increases dramatically. When that device is used for work, additional admin accounts raise the business’s exposure to threats as well. An admin account allows a threat actor to make major changes to a device that can damage an entire organization before being contained-if they are contained at all.
In short, is the principle of least privilege annoying? Yes. Is it much less annoying than a full-blown security failure? Definitely.