Secretary Power

When considering significant access to confidential information, secretary power should not be underestimated. In many organizations, some executives, who by the way have sometimes unrestricted and unnecessary access to confidential information, facilities and systems, transfer their privileged access rights to their assistants making them some of the most powerful employees in terms of access to restricted assets. Executives rightfully delegate many administrative work to their assistants, however, such delegation of administrative tasks occasionally increases the risk of unrestricted secretary power access. Secretary access should be carefully reviewed and assessed periodically to ensure their access rights are appropriate and limited to just allow them to perform their daily functions and prevent unnecessary disclosure of confidential information.

Typical executive assistants usually have access to many departmental confidential information, as they are involved with many tasks including hiring, performance reviews and termination processes. They also handle many of the executives’ administrative work such as expense reporting, group emails, calendar management and purchase orders with company executive credit cards.

As I have previously stated, some executives have powerful access to many resources and assets in the company, whether by design or accident, and when they transfer their unrestricted access to their assistants, they place their companies at risk because the access to information, physical asset or facility intended for the executive may not be appropriate and intended for the assistant.

One of the biggest risks presents itself when executives transfer access to their assistants for a routine task without realizing that such action may lead to additional, unauthorized and unintended access. For example, it is not uncommon for a busy executive to ask the assistant to contact the help desk for a password (or any other pass code) reset because they forgot their password and don’t have time to be on hold by the help desk person or automated music for a password reset. For the executives, this is a costly time wasted so they rather waste a less costly person’s time such as their assistants while they unknowingly increase the secretary power. Even if corporate help desk procedures allow a secretary to ask for a password reset for the boss, how do we know the assistant doesn’t take advantage of this temporary power to satisfy his or her curiosity? Once a password is reset, most systems will force the person logging in for the first time using the reset password to change the assigned password upon initial login, in order to allow the password owner to select a unique and personal password. What if after the assistant is granted a new password, the assistant logs into the system, selects a unique password, goes through the executive’s confidential information, and gives the boss the new password instead of giving the boss the reset password which would force the boss to select a new password? Since the executive will not be forced by the system to change the password, would the executive know to immediately change the password to prevent its future misuse by the assistant? I guess it depends on how security savvy the executive is. And, what if the executive doesn’t change the password immediately or until its expiration date when passwords are forced to be changed? In either case, whether the executive changes the password immediately or thereafter, there is a window of opportunity for curious and unethical assistants to abuse the increased secretary power.

There is no magic solution for this problem. Executives must periodically review and assess the access of their assistants and always think one step further and determine whether there is any inherent and increased security risk when they transfer certain access rights to their assistants for routine administrative tasks.

Return to home page from secretary power.

Identity Protection Insights Newsletter

Effective identity protection requires dynamic and integrated solutions. This site provides awareness, education and many solutions to address the growing problem of identity theft. Please sign up for the Identity Protection Insights newsletter to receive periodic notification of important articles and solutions, major identity theft news analysis, fraud alerts, and other service announcements.

Enter your E-mail Address
Enter your First Name (optional)
Then

Don't worry — your e-mail address is totally secure.
I promise to use it only to send you Identity Management Journal.