In every organization, there are users with regular privileges, and then there are super users who hold greater privileges in the IT environment. Unless you are a small organization with no separate IT department and your CEO performs IT administrative duties, it's not a wise choice to give non-technical executives (CEO, CFO, or VPs) extensive access to critical accounts and file servers within the network.
IT departments often grant excessive privileges to upper management and simply pray things don't go wrong. However, when a security incident occurs due to the mismanagement of the c-suite, the IT department takes the fall.
Let's take a closer look at why IT security teams need to apply the principle of least privileges, most importantly to the accounts of the top-level executives:
Threat actors, not surprisingly, target c-suite accounts, knowing full well that most of these accounts have elevated permissions. According to Verizon’s 2019 Data Breach investigations report, "C-level executives were twelve times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in years past." Hackers commonly resort to social engineering techniques to gain access to credentials of high ranking employees. Once the hackers are in, they get free rein of the most critical resources within the organization. What you as an IT administrator must do is limit access to the minimum level necessary. So even if bad guys do breach your security, the damage will be minimal.
Unless you know that someone has a clear picture of consequences to the changes made in the IT infrastructure, you don't want to hand out extra access rights to them. Not even the c-suite are exempted from the rules; this is why every company has a dedicated IT security team to run the IT environment smoothly. In fact, privileged accounts are no less guilty when it comes to contributing to security breaches. According to the 2019 Insider Threat Report, 49 percent of the time, it's the privileged business users or executives that contribute to the security incidents caused by insiders. So, next time, before you add your CEO to your admin group, you might want to think twice.
A 2018 survey by Gartner found that 22 percent of organizations worldwide in various industries are using employee-movement data. Upper management having access over personal data of employees may lead to privilege abuse or worse, compliance violation.