ABOUT
WHAT OUR CLIENTS SAYEDUCATION CENTREBLOGCONTACT
MANAGED IT
MANAGED IT SUPPORT
SECURITY
PROTECT MY 365M365 MDRM365 TENANT PROTECTIONHUNTRESS MANAGED EDRCYBER ESSENTIALSCYBER AWARENESS TRAININGIRONSCALES EMAIL SECURITYSENTINELONEDNS FILTERDARK WEB MONITORING
CLOUD
HOSTED DESKTOPMICROSOFT 365WAVE TELEPHONY3CX PHONE SYSTEM
BACKUP
DATA BACKUP & DRMICROSOFT 365 BACKUPXERO BACKUPSALESFORCE BACKUPGOOGLE WORKSPACE BACKUP
0161 850 2471
ABOUT
WHAT OUR CLIENTS SAYEDUCATION CENTREBLOGCONTACT
MANAGED IT
MANAGED IT SUPPORT
SECURITY
PROTECT MY 365M365 MDRM365 TENANT PROTECTIONHUNTRESS MANAGED EDRCYBER ESSENTIALSCYBER AWARENESS TRAININGIRONSCALES EMAIL SECURITYSENTINELONEDNS FILTERDARK WEB MONITORING
CLOUD
HOSTED DESKTOPMICROSOFT 365WAVE TELEPHONY3CX PHONE SYSTEM
BACKUP
DATA BACKUP & DRMICROSOFT 365 BACKUPXERO BACKUPSALESFORCE BACKUPGOOGLE WORKSPACE BACKUP
0161 850 2471

Half of Employees Have Too Much Access to Company Data

Michael Tunstall

October 16, 2025

Here’s a question worth asking:
Do you know exactly who in your business can access your most important data right now?

And more importantly — do they actually need that access?

If you’re like most business owners, you probably assume it’s all handled during setup and doesn’t need revisiting. But new research tells a different story.

Around half of employees in businesses today have access to more data than they should.

And that’s a big problem.

Not just because of the risk of someone acting maliciously, but because people make mistakes. When staff can see or change things they don’t need to, it increases the risk of accidents, data breaches, and compliance headaches.

This is what’s known as insider risk — the danger that comes from within your organisation.

That could mean employees, contractors, or anyone with access to your systems. Sometimes insider risk is intentional — data theft or misuse — but far more often it’s unintentional.
Someone clicks the wrong link, shares the wrong file, or still has access long after leaving the business.

One of the biggest culprits is something called “privilege creep.”
That’s when staff gradually collect more access rights over time — usually after role changes, project involvement, or system updates — and no one reviews what they can still see or do.

The result? Sensitive data left wide open.

Even more worrying, nearly half of businesses admit that former staff still have access to systems months after leaving. That’s like leaving your office keys with someone who doesn’t work for you anymore.

🧭 How to fix it

The goal is simple: make sure people can only access what they need, and nothing more.

This is known as the principle of least privilege.
Access should always be:

  • Limited to what’s required for the job.

  • Temporary if it’s only needed for a specific task (“just-in-time” access).

  • Removed immediately when someone leaves.

Today’s world of cloud software, shared drives, and AI tools makes access control trickier — but not impossible. The key is to stay proactive:

  • Review permissions regularly.

  • Automate access management where possible.

  • Audit your systems to close old or unnecessary accounts.

You’re not trying to slow people down — you’re protecting your data, your clients, and your reputation.

If you’d like help reviewing who has access to what in your business, get in touch. It’s far better to find the gaps now than after a breach.

<All Posts