Do common centralized IT access policies create any security risks, and are there alternatives?
Many large companies have IT policies where even low-level IT employees have privileges such as remote access to any company computer (often automatic, able to override user denial, or even silent), or administrative access to any company computer. Basically, these are policies where IT employees have relatively centralized and loosely limited access, even to computers that they may not physically have access to.
This seemingly opens a fair number of vulnerabilities, potentially allowing a single compromised IT computer to do a lot of damage or steal a great deal of data, something that is not merely theoretical; e.g. KnowBe4 recently hired a North Korean hacker to their IT team with predictable consequences (but how many such cases never make the news or are not caught?) However, as mentioned, these are fairly widespread practices.
Is this strategy the best cybersecurity practice? Or are there better ways of doing it?
