While data breaches stemming from insider privilege abuse continue to make headlines, the sad reality is that a full quarter of organizations have zero control over who accesses what in the network.
A BeyondTrust survey, Privilege Gone Wild 2 shows that more than one out of four companies indicated they have no controls in place to manage privileged access. That’s even though nearly half of the survey respondents (47%) admit they have employees with access rights not necessary to their current role.
Workers that have excessive privilege rights can easily compromise company assets, via the ability to steal credentials and the ease of access to sensitive data. There’s a rise in crime carried out by malicious insiders, but unwitting employees can also become conduits for outside criminals who have targeted them through judicious, well-crafted social engineering tactics. Sometimes a grooming process takes place, where the employee is developed over a period of weeks or even months to become susceptible to cybercrime ploys.
Yet, best practices are solely lacking. For instance, over half the respondents indicate that shared passwords are managed "individually." More than a third (34%) of respondents share passwords locally, including on spreadsheets, SharePoint and Active Directory.
Seventy-nine per cent of respondents indicated that employees are somewhat likely to very likely to access sensitive or confidential data out of curiosity. And almost 60% can circumvent whatever controls are in place.
Further, business-critical, Tier 1 applications are at risk. A full 60 percent of organizations have critical applications, including ERP, financial and ecommerce systems, running on UNIX or Linux platforms. But, more than 57 percent have few or no tools or processes in place to protect against privilege misuse for these.
The good news is that organizational awareness is growing that privileged account management (PAM) is a necessary focus. Eighty-four per cent said that they believe the risk to their organizations from privileged users will increase over the next few years. They also say that business information is most at risk (42 percent). This includes corporate intellectual property, source code, design documents, trade secrets and compliance-related data such as personally identifiable information.
"While several stats in this year’s survey revealed the amount of work that needs to be done in the PAM space, it’s encouraging to see the trend of organizations’ security and IT ops teams willingness to work together to better manage the risks associated with excessive privileges," said Scott Lang, director of privilege strategies at BeyondTrust, in a statement. "Therefore, we hope this growing partnership will mean a new interest in deploying and maintaining effective PAM solutions and policies."
In fact, the survey found that security is driving PAM purchases in 82% of the organizations surveyed, and are influenced by compliance (57%) and IT operations (42%) teams. As a cross-functional need, unified reporting is seen as critical in 56% of the organizations.
A full 30% of respondents expect to introduce new PAM technology in 2015, with password and server security claiming top spots on the list of priorities at (29% and 26%, respectively).