In today’s increasingly interconnected world, it has become a truism that data breaches are inevitable. It is no longer a question of “if” an organization will be breached, but of “when.” However, many breaches are preventable. A new survey has revealed that organizations employing privileged access best practices are better at mitigating the risks of data breaches.
The BeyondTrust 2016 Privilege Benchmarking Study is based on a May 2016 online survey of over 500 senior IT, IS, legal and compliance experts who were asked about how they manage privileged access. The respondents were categorized as either top-tier or bottom-tier based on their responses. Those with the best scores were ranked as “top-tier” and those with the worst as “bottom-tier.”
“This study confirms one of the unfortunate truths about data breaches today – namely, that many of them are preventable using relatively simple means,” said Kevin Hickey, President and CEO at BeyondTrust. “Companies that employ best practices and use practical solutions to restrict access and monitor conditions are far better equipped to handle today’s threat landscape.”
The findings revealed that nearly three-quarters of government respondents believe lack of privileged access controls puts organizations at high risk. And they are right to be concerned. In 2013, the notorious former defense contractor Edward Snowden used his privileged credentials to access and leak millions of classified documents, demonstrating the gravity of the insider threat.
Despite this incident, as well as the increasing number of high-profile breaches over the past several years, organizations are not doing enough to prevent privileged access abuse. Government respondents reported that 20 percent of users have more privileges than they need.
The survey revealed several discrepancies in the way top and bottom tier respondents approach privileged access. More than three-quarters of top-tier organizations have an enterprise solution for managing privileged access compared to only nine percent of bottom-tier organizations. More than one-third of bottom-tier respondents do nothing at all.
Furthermore, 73 percent of top-tier respondents said they are “somewhat” or “extremely” efficient at managing credentials, compared to 38 percent of those on the bottom-tier.
When it comes to password management, most top-tiers said they have a centralized password management policy, compared to only 25 percent of bottom-tiers. This finding is alarming considering the 2016 Verizon DBIR revealed that 63 percent of confirmed data breaches involved weak, default or stolen passwords.
BeyondTrust provided five recommendations for organizations looking to improve their efforts to mitigate privileged access control risks: implement granular least privilege policies to balance security with productivity, use vulnerability assessments to achieve a holistic view of privileged security, reinforce enterprise password hygiene, improve monitoring of privileged sessions, and integrate solutions across deployments to reduce cost and complexity, and improve results.
Overall, BeyondTrust said the goal in managing privileged access is two-fold: ensuring trust insiders have access to the information they need while keeping outsiders and malicious actors out.