Security should be top of mind during Cybersecurity Awareness Month, and every other month.

Often I get asked – “What’s your favorite security control?” 

Actually, no one has ever asked that, but if they did, and I was pressed to pick one security control in my arsenal, it would be AC.L2-3.1.6 from the CMMC framework: “Use non-privileged accounts or roles when accessing non-security functions.”  Sound confusing?  Asking yourself “who cares?”  Well, this one little control saved my Mom from getting hacked, even after she did some things she really shouldn’t have done.  But more about that story in a bit.

So, what does this control mean?  In simple terms, you should ALWAYS have at least two accounts on your computer!  By default, many operating systems (e.g., Windows) set up one account that allows you to do everything you would want, including installing software.  But having the ability to install software means the user account can make any modifications it wants to your computer, sometimes with only minimal warning.

If you’ve been using your computer for a while, create a new user for making changes to your computer, like installing software.  In Windows, select the “Change Account Type” button and choose “Administrator.”  Then, change your existing user ID to a “Standard User.”  Going forward, only login to the Administrator account if you want to make updates or install new software.  When using your Standard User account, you will now be required to enter your Administrator password to make changes to your machine.

So, when I got the call that started “Sam, I’ve really messed up and contacted a fake Microsoft support desk,” I knew we were about to test my theory.  Mom had allowed them to get all the way to her desktop, add “support” software, and try to run it.  An Administrator login prompt popped up, Mom realized what they were about to do was not going to be good for her, and she hung up the phone and called me.  Since she was always using a non-privileged (Standard) user, the damage was limited to cleaning up their conferencing software, and her information was safe.

Remember, think before you click!  And if you haven’t already, set up a separate Administrator account and always use non-privileged accounts when accessing non-security functions!


Sam Bell joined Edwards in 2019 as a Senior Cybersecurity Consultant and serves as the Cybersecurity Assessments Program Manager, responsible for overseeing Edwards NIST 800-53, HIPAA, NIST CSF, and CMMC assessments, as well as managing Vulnerability Scanning and Penetration Testing capabilities. In his role as Chief Information Security Officer, Sam leverages 35+ years of information technology, security, project management, and process improvement experience to ensure Edwards continuously refines and enhances its ability to protect its clients’ information.