Close to a quarter of respondents indicated that they do not have a formal IT risk management program in place. In addition, a large percentage of businesses do not routinely review user access rights to data, according to the survey of nearly 1,250 IT decision makers at large organizations (most with more than 1,000 employees).
More than 90% of respondents said that identification of user access is a core component of their IT risk management strategy. At the same time, 60% said they only review individual user access or entitlements once per year or less frequently, and 45% said they do not certify user access to high-risk applications on a regular basis.
“The results of this survey indicate that there is still widespread misunderstanding of the impact user access reviews have on enterprise IT risk,” said Kurt Johnson, vice president of strategy and corporate development for Courion.
“No company wants to suffer the brand damage and liability caused by data breaches. The first step in preventing this is to establish a risk management strategy, and make user access reviews a key part of that process. Too often, an organization’s most highly sensitive data is easily accessible by numerous individuals who do not require access in the first place”, Johnson cautioned.
The survey found that 48% of all companies have discovered excessive user rights within their systems; 39% of respondents say they have identified instances of inappropriate access by privileged users within their organizations; and 56% say they found cases in which access was still active for a user’s prior role.
Courion recommends that organizations implement and manage a comprehensive identity and access managment strategy in order to define, assess, enforce, and verify that the right users have the right access to the right resources and are doing the right things.