Does everyone at your company have access to everything? Cyber Essentials wants to know why

Here's a scenario that plays out often enough to be a pattern, not a one-off: a small e-commerce business gives every staff member the same system-wide access, including its warehouse pickers, because it's simpler to set everyone up with one standard account template than to think through what each role actually needs. A picker has no business reason to ever touch customer payment records. The access sits there anyway, because nobody asked the question, and it only takes one person with a grudge or a buyer for that data to turn unused access into an actual breach.

Cyber Essentials asks it directly under CE3 User Access Control: are user accounts restricted to only what they need to do their job? This is the principle of least privilege, and it's the access control question most small businesses fail without realising they're failing it, because over-permissioned accounts don't cause visible problems until something goes wrong.

Why broad access feels easier but creates real risk

Setting every account up with the same level of access is genuinely simpler to manage day to day. Nobody has to think through permissions role by role, nobody gets blocked from something they unexpectedly need, and onboarding a new person takes five minutes instead of a considered decision about what they should and shouldn't be able to reach.

The cost of that simplicity is that every account becomes a bigger target than it needs to be. If a junior staff member's account is compromised through a phishing email, and that account has the same access as a director, the attacker inherits director-level access for free. Least privilege means the blast radius of any single compromised account is limited to what that specific role genuinely requires, not everything the business has.

How this is different from the admin account question

This control is sometimes confused with keeping administrator accounts separate from standard accounts, but they're answering different questions. That control asks whether admin-level access is isolated from everyday use. This one asks whether even standard, non-admin accounts are scoped down to what each specific role needs, rather than every standard account having identical, broad access to systems and data unrelated to that person's actual job.

A business can have admin accounts properly separated and still fail this control, if every standard account can see every customer record, every financial document, and every system regardless of whether the person in that role has any reason to.

What this actually looks like in practice

Map out the systems and data your business holds, then ask, role by role, what each one genuinely needs. A bookkeeper needs the accounting platform. They don't need access to HR records. A customer service rep needs to see order history. They don't need access to supplier contracts or payroll. This sounds obvious written down, but most small businesses have never actually gone through this exercise, because the default setup for most tools grants broad access unless someone deliberately restricts it.

Most cloud platforms support role-based permissions natively, Google Workspace, Microsoft 365, most CRMs and accounting software, so the technical capability to restrict access is usually already there. The gap is almost always process, not technology: nobody has gone through and configured it deliberately.

Frequently asked questions

Isn't this a lot of extra admin work to maintain? There's upfront effort to map out roles and permissions once, but ongoing maintenance is straightforward if it's built into onboarding, so each new starter is set up correctly from day one rather than defaulted to broad access.

What if someone occasionally needs access outside their normal role for a one-off task? Temporary, logged access for a specific task is reasonable and doesn't undermine least privilege, as long as it's removed again afterward rather than left in place by default.

Does this apply to a business with only two or three employees? The principle still applies, though the practical risk is lower with very few people; it becomes more important as headcount and the number of systems in use grows.

How is this different from removing access when someone leaves? That control is about access at the end of someone's time with the business; this one is about whether the access they had while employed was ever appropriately scoped to their role in the first place.

Will an assessor check this role by role, or just ask if a policy exists? Assessors typically ask about your general approach to access control and may sample specific accounts to see whether permissions genuinely reflect the person's role.

Run a free scan of your domain and your CE Readiness checklist will cover this alongside the rest of CE3 User Access Control, ready before your assessor asks: olimpio.io/free-scan