Despite recent data breach and cyberattack headlines, far too many organizations are still giving users more privileges than they need, according to a recent report from BeyondTrust.
Nearly half of the survey respondents—a solid 47 percent—said some of their users have access rights and privileges they don’t need for their current role, BeyondTrust found in the “Privilege Gone Wild 2” report, released Tuesday. The survey highlighted “gaping holes” in how organizations approach privilege management as many of them are not proactively controlling their users’ access rights.
Eighty-four percent believe the risk to their organizations from privileged users will increase over the next few years. Business information, such as corporate intellectual property, source code, design documents, trade secrets, and compliance-related data such as personal data and health records, are at risk, 42 percent of the respondents said. About 79 percent of respondents said employees were “somewhat likely” to “very likely” to access sensitive or confidential data because they were curious. Approximately 60 percent said employees would be able to circumvent existing restrictions and still get to the data.
Several recent data breaches, malware attacks, and other security incidents have been linked with users having excessive privilege rights. Attackers don’t have to phish administrators if they can get to other employees with the same administrator rights on sensitive systems. Many malware attacks take advantage of the fact that users have administrator rights over their computers, paving the way for malware to try to execute malicious commands on the local machine as an administrator.
“Recent, high-profile breaches involving the abuse of privileged credentials appear to be motivating organizations to take a deeper look as their privileged account management practices,” Scott Lang, director of privilege strategies, BeyondTrust, wrote on the company blog.
Only 40 percent of the respondents said they have deployed some kind of privilege management enterprise-wide, and 30 percent said they did not have any controls in place. About 60 percent of surveyed organizations rely on Linux- and UNIX-based systems for business-critical, tier-1 applications, such as ERP, financial tools, and ecommerce systems, but more than 57 percent of participants said they have no tools or processes in place to prevent misuse, the survey found.
Discovering what privileges end users have in the first place is a good place to start. As would be a discovery exercise to identify all privileged accounts, Lang said.
Shortly after the data breach at Sony late last year, many critics derided the entertainment giant for storing passwords to various systems in spreadsheets. It isn’t the first company to list all the passwords in a file, and it won’t be the last. A little over a third of the respondents said passwords are shared across multiple users via spreadsheets, SharePoint, and Active Directory. Shared passwords remain a significant problem for organizations, as over half of the survey respondents said these types of credentials are managed individually and not as part of a vault or some other password management interface.
Organizations need to control, track, and audit who is accessing privileged accounts. “If a breach occurs, whether deliberate or inadvertent, you need the ability to identify what happened, when, and by which user’s credentials,” Lang said.
Organizations understand the risks of not bringing privileges and access rights under control. Cost was commonly cited as a barrier to adopting privilege access management platforms. The good news is that 30 percent of respondents expect to introduce new privilege access management tools in their organizations in 2015. Respondents rated password and server security as the two top priority areas.
“The good news is that progress is being made,” Lang said.
Lang recommended organizations assemble cross-functional teams to address privileged account management. The survey found that while security drove most privilege account management purchases, compliance and IT operations teams also played a part. Organizations also need to define controls to enforce policy. “Policies are only worth the paper they’re printed on unless they are backed up with controls and enforcement,” Lang said.
Privileges Gone Wild 2 looks at information from 728 IT decision makers including security managers, and network and systems engineers across a number of industries including financial services, manufacturing, and government, among others.