This confidential data theft is often carried out by exploiting privileged account access. A full 65% of the 820 IT managers and C-level professionals surveyed believe that the majority of recent security attacks have involved this type of access.
“Insiders often leverage these privileged accounts to access stuff that they really shouldn’t”, said Adam Bosnian, executive vice president Americas and corporate development at Cyber-Ark. Bosnian noted that the major data breach last year at RSA included abuse of privileged account access by the attackers once they gained access through a spear phishing attack.
“There are these open doors to the gold of your organization. You need to start being aware of them, you need to start controlling them, and you need to make sure the controls are effective”, Bosnian told Infosecurity.
According to the survey, respondents’ IT security priorities for this year include: vulnerability management (17%), privileged identity management (16%), security information and event monitoring (15%), and anti-virus/malware (13%).
“Privileged identity management was ranked number two in IT security priorities….I think that is a major milestone in the awareness of how bad the problem is within the organization”, Bosnian said.
“Some companies, while they start down the path of fixing the problem, don’t always go far enough and really fix it”, he added.
The survey found that 43% of repondents said their organizations did not monitor the use of privileged accounts or they were unsure of whether they did. Of those organizations that monitor privileged access, 52% of respondents said that they could get around current controls.
In line with these findings, 45% indicated that they have access to information on a system that is not relevant to their role; 42% said that they or a colleague have used admin passwords to access information that was otherwise confidential; and 55% believe that competitors have received their company’s highly sensitive information or intellectual property.
When respondents were asked if data breach notification laws are effective in curbing data loss, 72% of respondents answered “no”, while only 28% answered “yes”.
Bosnian opined that a national data breach notification law in the US would be more effective in curbing data loss, instead of the current patchwork of state laws. “The challenge is that a lot of data notification laws are toothless. They say you have to notify but they don’t have any mitigation in the laws or increased penalties for repeat offenders”, he added.