The principle of least privilege isn't just a technical concept. It's how every good doubles team plays the game.

By Sammy Basu | Founder & CEO, Careful Security | March 5, 2026 | 6 min read

I'm standing in a pickleball park. It's 8 AM, the sun is coming through the nets, and my partner and I are about to play a doubles match against a pair who clearly take this more seriously than we do.

Before the first serve, my partner says: "I'll cover left, you cover right. Trust me to handle my side."

That's all it took. Two sentences. A clear division of responsibility. And a mutual understanding that each of us would handle whatever fell in our area.

For a well-functioning team, trust is imperative.

But here's where it gets interesting. In cybersecurity, we have this concept called "trust, but verify." And it works exactly the same way.

What Does "Trust, But Verify" Actually Mean?

The phrase comes from a Russian proverb that Ronald Reagan made famous during nuclear arms negotiations with the Soviet Union: "Doveryai, no proveryai." Trust, but verify. It became the foundation for how two adversaries could agree to reduce their weapons while still maintaining accountability.

In cybersecurity, the same principle applies. You trust your employees, your partners, your systems. But at the same time, you run your scripts. You look at your log files. You find out who has access, when they're accessing it, and whether all of them actually need it.

A lot of breaches happen because people have more access than they need. Or redundant access. Or access they were granted two years ago for a project that ended eighteen months ago. People who shouldn't have access still have access. The system is wide open, and nobody noticed.

According to the Verizon Data Breach Investigations Report, credential misuse dominates the landscape of security incidents. The IBM Data Breach Report confirms that it takes an average of six to eight months to detect a breach. Six to eight months of someone walking through your hallways with a badge that should have been revoked.

The Pickleball Principle

Back to the court. In pickleball doubles, you and your partner divide the court. You trust your partner to handle the shots that fall in their area, and they trust you to handle yours. You're not watching each other's every move. You're playing your position.

But what happens when a shot lands right on the line between you? If neither of you moves, it's a point for the other side. If both of you move, you collide. The teams that win are the ones who have clear rules about who takes the middle shots, and who verify that the system is working by communicating during the game.

That's cybersecurity in a nutshell.

Your IT team trusts the developers to write secure code. Your developers trust the infrastructure team to keep the servers patched. Your HR team trusts IT to revoke access when someone leaves the company. Everyone trusts each other. But who's verifying?

When a shot lands on the line and nobody takes it, that's a breach.

The Principle of Least Privilege: Give People Only What They Need

Security is based on the principle of least privilege. You give each person access to exactly what they need to do their job, and nothing more. It's like giving your pickleball partner responsibility for their side of the court, not yours, not the court next to you, and definitely not the keys to the equipment shed.

System and network administrators have access to the most sensitive systems in an organization. That makes them an attractive target for cybercriminals. These privileged accounts are the crown jewels. When attackers compromise them, they don't just access one file. They access everything.

The Colonial Pipeline breach in 2021 started with a single compromised VPN account of a former employee. No multi-factor authentication. One password. $4.4 million in ransom paid, fuel shortages across the East Coast, and a state of emergency declared by the President. Root cause: disclosed credentials for a VPN account without multi-factor authentication.

The UnitedHealthcare breach in 2024 started with a legacy server that didn't have multi-factor authentication enabled. The cyberattack shut down operations at hospitals and pharmacies for more than a week. Costs surpassed $1.6 billion. Root cause: a portal without MFA.

The Microsoft email breach in 2024 started with an old test account that didn't have MFA. The attackers sprayed common passwords against multiple accounts, got into the test account, and moved laterally across Microsoft's corporate network.

See the pattern? Every one of these breaches traces back to someone having access they shouldn't have had, or access that wasn't properly verified.

Three Things Every Mid-Market Company Should Do This Week

1. Audit Who Has Access to What

Run a report of every user account in your environment. Who has admin access? Who has access to your production servers? Your financial systems? Your customer data? Cross-reference that list with your current employee roster. You will be surprised. Former employees, old contractors, test accounts from three years ago, service accounts that nobody remembers creating. Each one of those is an unlocked door.

2. Enforce Multi-Factor Authentication Everywhere

Not just on your email. Not just on your VPN. Everywhere. Every system, every admin console, every cloud portal. If the breach pattern teaches us anything, it's that a single password is never enough. Multi-factor authentication is the seatbelt of cybersecurity. It's not glamorous. It's not a shiny new tool. But it works. And the breaches that make headlines almost always involve a system where it wasn't turned on.

3. Review Your Logs (Someone Should Be Watching)

Trust your team. But verify what's happening in your systems. Look at your log files. Who logged in at 2 AM? Who accessed the database from an IP address you don't recognize? Who downloaded 10,000 records on a Sunday? Without log details of privileged activities, investigation and recovery from a breach can become a nightmare. Your SIEM should be your eyes and ears, not a dashboard that nobody looks at. The Target breach in 2013 happened because the SIEM detected the anomaly but the alert was ignored due to alert fatigue. The data was there. Nobody was watching.

Trust Is a System, Not a Feeling

I've been in situations in the hallway where the developer or project manager turned the other way when they saw me walking toward them. Security sometimes feels like being the person who shows up to the party and tells everyone to turn the music down. But that's not what this is about.

Trust but verify isn't about distrust. It's about accountability. It's about building a system where the right people have the right access at the right time, and where someone is always watching the line between the two sides of the court.

In pickleball, the best teams aren't the ones with the strongest individual players. They're the ones who communicate, cover their zones, and never let a shot land unclaimed on the line.

In cybersecurity, it's the same. The best-protected organizations aren't the ones with the most tools. They're the ones where access is intentional, monitoring is continuous, and nobody assumes that everything is fine just because the dashboard is green.

"Human error causes the majority of breaches: fix the humans before the firewalls."

Ready to find out where your gaps are?
Careful Security delivers full-service audit readiness in 90 days. 100% first-attempt pass rate. Money-back guarantee. Schedule a 15-minute discovery call

About the Author

Sammy Basu is the Founder & CEO of Careful Security. After two decades protecting Fortune 500 organizations including Goldman Sachs, Warner Bros., EA Sports, and Pfizer, he now helps high-growth firms get audit-ready through ruthless minimalism and human-first strategy. He holds CISSP, CISA, GPEN, GMON, and GCCC certifications and is the author of CISO Wisdom: Cybersecurity Untangled

Related Articles:
- Tool Sprawl Is Killing Your Security: The Ruthless Minimalism Approach
- Why DIY SOC 2 Fails: 5 Mistakes That Cost Companies $50K+
- Schedule a Cybersecurity Gap Analysis here