End users are under no circumstances implicitly trustworthy. Every time a consumer tries to access a useful resource, they have to be authenticated and authorized, irrespective of whether they're currently on the corporate network. Authenticated end users are granted the very least-privilege access only, as well as their permissions https://www.researchgate.net/publication/365308473_Development_of_Cyber_Attack_Model_for_Private_Network