Why weak governance leaves your organisation exposed

Why weak governance leaves your organisation exposed

Data Protection
August 28, 20254 min read

Governance isn’t the most glamorous part of cybersecurity or data protection. It doesn’t make headlines like a breach or turn heads like a shiny new AI tool. But if it’s not in place, even the best technology can’t save you.

In education, one of the clearest examples is the joiners, movers and leavers process.

The governance gap in practice

When someone joins a university or college, the process tends to work well:

  • HR approves the hire

  • An account is created

  • Login details are issued

  • Induction and training follow

Everything looks neat and tidy on day one.

The trouble starts when people move between roles… or leave entirely.

Example:

A staff member starts in IT, with access to sensitive infrastructure and information, then transfers to a student-facing role. If their old IT permissions aren’t removed, they now have a combination of access: technical systems from their old role plus student data from their new one.

Multiply this over a 10-15 year career with three, four or five role changes, and you have staff with sprawling, unnecessary access rights, often without anyone realising.

And this isn’t just about access to one or two systems. In many universities, permissions are still handled in an “all or nothing” way. People either have access to everything in a system or nothing at all. Modern role-based access control (RBAC) exists (Microsoft does it well) but using it properly requires time, attention and skills that many in-house technical teams simply don’t have right now.

Why this matters more than you think

It’s easy to assume processes just “work” in the background. But in reality, without proper governance:

  • Excessive access rights become normal – Staff see far more than they should, often long after changing jobs.

  • Data walks out the door – When someone leaves on bad terms, they might forward data to personal email or download it onto a USB drive. It’s not pleasant to think about, but it happens, and it can cause real harm.

  • Security efforts get misdirected – You spend time and money protecting data that shouldn’t even be there, while the real risks stay hidden.

  • The big picture gets messy – With too much data in too many places, it becomes harder to prioritise what actually needs securing.

The uncomfortable truth is that while we’d like to think everyone leaves on good terms, the current level of restructuring in higher education means that’s not always the case. Preparing for the “bad exit” scenario isn’t cynical, it’s responsible.

Where responsibility lies

In this area, responsibility is shared:

  • HR / People & Culture own the joiners, movers and leavers process. They decide what should happen when someone starts, moves or leaves.

  • IT implements the technical controls, such as removing permissions, closing accounts and monitoring for suspicious activity.

  • Both teams need to work together. If HR systems don’t “talk” to IT systems, changes in role won’t trigger changes in access, and that’s when the gaps appear so there needs to be clear mechanisms in place.

The strongest governance comes from an ongoing, collaborative conversation between HR and IT, not a once-a-year meeting.

How to close the gap

Improving governance doesn’t need to be an all-or-nothing project. You can build it step-by-step:

  1. Map the process
    Break down what happens at each stage of joiners, movers and leavers. Where do approvals get missed? Where are assumptions being made? Where are handovers unclear?

  2. Automate role changes
    Wherever possible, utilise automation across HR and IT systems so access rights automatically update when a role changes.

  3. Plan for bad exits
    If there are large scale changes, pending restructures or ongoing grievances in play, establish alerts for large file transfers, mass email forwards or USB activity during consultation or notice periods.

  4. Review regularly
    Run spot checks to make sure permissions match current roles.

  5. Invest in role-based access
    Even partial RBAC can cut down on unnecessary exposure.

  6. Build relationships
    Governance is about more than just about systems. It’s about people in different departments talking to each other early and often.

The bigger picture

Governance is easy to dismiss as “back-office admin,” but it’s actually a frontline defence. It keeps your access controls tight, your sensitive data protected and your risk manageable.

If you can say with confidence: “We know exactly who can see what, and that changes the moment their role changes.” …then you’re in a stronger position than most.

If not, the best time to start fixing it is now, before a messy permissions trail becomes a real-world incident.

governancedatacyber securitydata protection
Craig Clark founded Clark & Company in 2016 after several negative experiences with consultancies attempting to apply information governance strategies designed for the private sector to education environments and then charging a fortune for the failed project. The education environment and how data is collected, managed, secured, and shared is different to any other sector and Clark & Company has front line experience in facing the challenges that these differences raise.

Craig Clark

Craig Clark founded Clark & Company in 2016 after several negative experiences with consultancies attempting to apply information governance strategies designed for the private sector to education environments and then charging a fortune for the failed project. The education environment and how data is collected, managed, secured, and shared is different to any other sector and Clark & Company has front line experience in facing the challenges that these differences raise.

Back to Blog