Skip to content
Let's Talk

3 key user management practices

From school districts to local councils, public entities are under siege from a steady drumbeat of digital threats. These aren’t just isolated incidents or headline-grabbing hacks, but daily disruptions targeting the very institutions that communities rely on.

And while the threats have grown more sophisticated, the resources to combat them often haven’t kept pace. Tight budgets, limited staff, and aging infrastructure mean cyber risk management is frequently pushed to the sidelines – not by choice, but by necessity. The problem? Attackers know this and they’re exploiting it.

Despite this, however, there are fundamental and cost-effective practices that most organizations can implement to reduce their cyber risk exposure. One of the key areas is effective user management, which simply means overseeing and controlling access to an organization’s systems and data. It is a cornerstone of cyber risk management — yet it is where many entities fall short. At KYND, we're here to help. In this article, we highlight three critical user management cyber risks and provide practical solutions to mitigate them. Let’s dive in, starting with multi-factor authentication.

Risk #1: Not using multi-factor authentication

First and foremost, what is multi-factor authentication (MFA)? It’s perhaps a term you’ve heard before but can’t fully explain. In essence, it’s quite simple: Multi-factor authentication adds an extra layer of security by requiring users to provide two or more verification factors to gain access to a resource, such as an application or online account.

This could include something you know (password), something you have (smartphone), or something you are (fingerprint). For example, it could involve you receiving a code via text message that you need to enter before you can log into your email account. According to our research, only 31% of organizations confirmed MFA for email access on personal devices.

This leaves 69% at risk of internal origin phishing. Additionally, only 23% had MFA for backup access, exposing 77% to potential cyberattacks targeting backups. The biggest challenge with implementing MFA usually isn’t technical – it’s the human factor. With that in mind, start with a few simple steps before expanding further.

MFA best practices:

Identify points of authentication: Where do users log in to access mission-critical services or confidential data? Start with obvious access points — such as email accounts — to pilot the process. Determine which systems and data need the most protection, and implement MFA on those first.

Choose MFA methods: Select appropriate methods such as SMS-based codes, authenticator apps, or biometric verification (such as fingerprints or facial features). Ensure the authentication process is easily integrated into your current systems.

Educate users: Given the human factor discussed above, it’s important to educate users. Aim to provide some training on how to use MFA and the importance of this additional security measure.

Risk #2: Not using strong passwords

Strong passwords are a fundamental defense against cyber threats, yet many organizations neglect this crucial aspect of risk mitigation. KYND’s research reveals that only 14% of organizations have established password guidelines, putting a staggering 86% at risk of credential compromise. This statistic highlights the need for robust password policies to safeguard sensitive information.

Password best practice:

Embrace complexity: Require passwords to include a mix of letters, numbers, and special characters. Encourage passwords to be at least 12 characters long and avoid easily guessable words like “password123” or “admin”.

Encourage regular updates: Promote regular password changes to avoid compromised passwords being used. As a rule of thumb, update passwords at least every 90 days.

Use password managers: A password manager is a software application designed to help users store and manage their passwords securely. Recommend the use of password managers to generate and store complex passwords securely.

By sticking to these best practices, organizations can bolster their defenses against cyber threats. It may seem basic, but implementing strong password policies is critical in protecting sensitive data and maintaining overall cyber resilience.

Risk #3: Not implementing user management processes

Effective user management is a critical component of a robust cyber risk management strategy, yet it is often overlooked. According to KYND’s research, a mere 3% of organizations had documented privileged users.

Simple math tells us that this leaves an overwhelming 97% unable to identify who had access to Personally Identifiable Information (PII), confidential data, or advanced systems. This lack of oversight not only increases the risk of unauthorized access but also complicates incident response efforts.

User management best practice:

Document privileged users: Maintain an updated list of all privileged accounts and their access levels. Regularly review and audit these accounts to ensure that access remains appropriate and to identify any potential security risks.

Access control: A key user management practice is the principle of least privilege (PoLP). It ensures that users have the minimum access necessary to perform their duties. By implementing PoLP, you are only granting users access to the specific data, resources, and applications necessary to perform required tasks.

Regular audits: In relation to the above, conduct regular audits to review user access levels and adjust permissions as needed.

Properly managing user access not only protects sensitive information but can also help maintain operational integrity and compliance with regulatory standards. Furthermore, controlling and limiting user access to sensitive information is an essential step in preparing for cybersecurity insurance coverage.

Building a path to effective cyber risk management

There you have it. Mitigating cyber risks through effective user management is essential for safeguarding your pool organizations’ data. By helping your members implement multi-factor authentication, enforce strong password policies, and establish comprehensive user management processes, you can reduce the risk of cyber threats and enhance your pool’s overall security posture.

For detailed guidance, consider consulting cyber risk management experts. At KYND, we offer actionable risk insights and expert advisory support to help pools and their member organizations identify vulnerabilities and manage risks effectively. Investing in these practices not only protects sensitive information but can also help your members ensure compliance and build stakeholder trust.