You have security measures in place, right? We made a guide to the basic security practices everyone should have in place. So let’s say you’ve got the basics down. Nothing is perfect and cybercriminals have that automated relentlessness. So what happens when one of your security measures fails?
Yes, we say when, not if.
What if someone clicks a phishing link and gets hit with malware or even an old-fashioned disgruntled employee decides to cause problems for you?
The damage depends on what they can access. That’s where permission management comes in. This article walks you through how to limit the blast radius of a security incident using access controls, segmented data, and a few smart defaults. It works across your devices, your shared storage, your intranet and team services like Google Workspace and Microsoft 365/Teams.
Let’s get started.
1. Start With Stopping Admin Rights Everywhere
No one should be a local administrator on their machine unless they need to be. This one change makes a huge difference.
Why it matters
If malware gets in through email or a bad download and the user has admin rights, it can install more malware, mess with system settings, or move sideways to other systems. Remove admin rights, and a lot of that just doesn’t work.
If someone does need administration privileges, they should be working in standard user mode except when administration privileges are required.
What to do
- Set up all company laptops and desktops with standard user accounts.
- If someone needs admin rights (e.g., IT), create a separate admin account for them to use only when necessary.
- Use MDM tools (Google endpoint management, Microsoft Intune, Jamf, etc.) to enforce this and push out settings.
Add-on: EDR + Updates
EDR is basically permissions for apps. It stops apps from doing things they shouldn’t.
- Install and manage an EDR (Endpoint Detection and Response) tool on all devices (Microsoft Defender for Business, ESET Endpoint Security, Trend Micro Apex One, Sophos Intercept X, CrowdStrike Falcon).
- Enforce automatic updates for OS and key apps.
- Encrypt drives (BitLocker for Windows, FileVault for macOS) and enable device wipe for lost/stolen gear.
2. Be Selfish With Shared Storage
The goal here is simple: if someone breaks into one account, how many files can they touch? With bad storage hygiene, the answer might be all of them.
Where it goes wrong
Shared folders are always popping up as new projects start or new processes appear. People are added or, just to make it easy, everyone in the org can access them.
Most of the time these permissions are never reviewed or tightened.
What to do
- Segment storage by team or project. No more giant “shared” folder for the whole company.
- In Google Workspace: use Shared Drives instead of individual Drives. That way, when someone leaves, the files stay.
- In Microsoft 365/Teams: use Teams-based document libraries for file access rather than shared folders in OneDrive.
- Turn off or restrict “Anyone with the link” sharing.
Run permission reviews
- Every quarter (or every big org change), check: who has access to what?
- Remove people from folders, Teams, Drives they no longer need.
- If someone leaves the company, remove them from all groups and shut down access the same day.
External sharing
You want to avoid this where you can, but in a world of contractors and consultants sometimes you need to give outsiders access. Just be sure to give them as little access as possible.
- Use approved domains in Google Workspace.
- In Microsoft 365, restrict guest access with policies.
- Set links to expire or restrict them to specific people.
3. Use a “Need To Access” mindset
Just because someone is part of your business doesn’t mean they should need access to everything. Or, to be more serious, use a “Zero Trust” model. No-one gets access to anything unless they provably need it.
Segment Information and Functionality
- Finance doesn’t need access to Engineering’s wiki.
- Engineering doesn’t need access to HR’s files.
- A contractor doesn’t need access to your Slack history.
Use groups and roles to manage access:
- In Google Workspace, assign access to Sites, Docs, and Calendars based on Groups.
- In Microsoft Teams, create private channels for sensitive conversations (e.g., leadership, HR, finance).
Use conditional access policies
- Only allow access to critical apps from managed devices.
- Block logins from unknown IPs or suspicious locations.
- Require re-authentication or step-up MFA for sensitive actions.
These policies exist in both Google and Microsoft ecosystems. Use them.
4. Use MFA & Password Managers For Everything All The Time
MFA
This is non-negotiable. This shifts account permissions, limiting them to the individual with the MFA key.
Every account should require Multi-Factor Authentication (MFA). Without it, a phished password is compromised service. With it, a phished password is still blocked at login.
Enable MFA for all Google Workspace or Microsoft 365 accounts. If you’re not already doing this, stop reading and go do it.
You will need to install an app. Google Authenticator is available on Android and IOS. Microsoft Authenticator is also available on Android and IOS. They are easy to use. Add a new MFA login is normally as simple as scanning a QR code (never scan random QR codes).
Password Managers
Shared passwords are a liability. Simple passwords that are easy to remember are also a liability, If you must share access to a service rather than providing individual accounts, use a business password manager.
There are good options in this segment. Get your team onto one of these:
Use group vaults, share credentials securely, and train your team to never email or message passwords.
5. Lockdown Internal Apps and Collaboration Tools
The last thing you want is an attacker getting access to internal apps, wikis, or, especially, chat platforms. Staff should only have permissions to access the chats on a need-to-have basis.
What to lock down
- Google Chat rooms: make sensitive ones private, control invites.
- Slack: use private channels, restrict integrations, disable public link sharing.
- Teams: use private channels, restrict who can create them, review membership regularly.
Review OAuth app access
Both Google and Microsoft platforms let third-party apps request broad access to user data. Audit those permissions and revoke what’s not needed.
Here’s how to review OAuth app access on Google Workspace. And here’s how to review OAuth app access on Teams.
Putting It All Together
Here’s the order of operations for getting all the permissions in place:
- Remove local admin rights.
- Enforce MFA.
- Centralise access to shared files, use team-based permissions.
- Review permissions regularly.
- Use private channels/rooms in chat and collaboration tools.
The less access people have by default, the less there is to clean up when something goes wrong. And if you set it all up right, cleaning up becomes: turn off access, restore files, and get on with your day.
That’s the real benefit of this approach. Not just damage prevention, but fast recovery.
That’s all there is. Go limit that blast radius.
Start with devices. Move on to storage. Then wrap up with internal systems. And finally, stop shared passwords and enforce MFA across the board.
Each step is simple. The result is a business that’s hard to hurt, and quick to bounce back if it ever is.
