Least privilege isn't sexy. It isn't a highly technical toy that promises to do all kinds of nifty things to ward off evil attackers. However, it is right up there in providing your organization vital protection and it is a cyber hygiene item. So what does it mean?
Least privilege simply means providing the least amount of access required to do the job. This is often easier said then done.
Our natural tendency is to leave things open and broadcasting to everyone. It requires less work. Users do not have to try and pick out who might need access. If 6 weeks from now someone new needs access, no one has to go through the pain of an access request and waiting for access to be granted. Someone simply hands them the link and they are in. If someone is moving to another dept for 6 months it is a lot easier to leave them on the access list rather then removing them and then re-adding them when they come back. If someone might at some point in the future need admin access, it is a lot easier to give them broad access rather then limiting them to just what they actually need to do their job.
The problem with not applying least privilege is that it makes an attackers job a heck of a lot easier as well. If an account gets compromised, the attacker now has broad access to everything. If it is an admin account, the attacker now has admin access to all your systems. If least privilege is applied, the attacker is far more limited in the damage they can inflict and the systems they can compromise. Their scope is limited to only what that user had access too. There are also nightmare scenarios where an employee becomes vengeful. If the organization applies least privileged there is a limited amount of damage a vengeful employee can do. Least privilege allows you to control the scope of what may happen.
Least privilege is more work, but it is not hard and it is not something you need fancy tools for. It can be as simple as having a solid process in place for making sure someone really needs access and promptly removing them from the access when it is no longer required. Simple cyber hygiene concepts can go a long way towards reducing your organizations cyber risk.