Insider Threats & External Cyberattackers
The 2019 edition of the Privileged Access Threat Report revealed that insider threats remain top-of-mind, and for good reason - 64% of respondents believe they have suffered a breach due to misused or abused employee access. Often, breaches caused by insiders arise from inadvertent errors—rather than intentionally malicious actions. Survey responses reflected this with IT decision-makers citing higher concern with unintentional, employee-involved breaches rather than malicious insider threats.
Shoddy password security practices were widely cited as an insider security threat by respondents. These behaviors could be clearly addressed and prevented by modern enterprise password security solutions.
Unsurprisingly, 61% of organizations also consider external attacks as a significant or moderate concern.
Vendor Access Risk
Many IT teams struggle mightily enough in trying to manage identities and privileged access within their organization. However, IT security pros must also control vendor access. The enterprises surveyed reported an average of 182 vendors logging in to their systems each week, with 58% saying they have suffered a breach due to vendor access. At organizations with 5,000+ employees, 23% say they have more than 500 vendors regularly logging into their IT environment. All of these third-party remote access points add up to a massive risk exposure that becomes particularly dangerous when inadequately managed.
Ideally, you want to extend the same best practice security from your own environment to your vendor ecosystem. However, most organizations, as evidenced by our survey results, seem far from enabling this level of secure remote access. In fact, only 29% of organizations say they are very confident that they know how many third-party vendors are accessing their systems, and only 31% are very confident they know how many individual logins can be attributed to third-party vendors.
Our survey respondents also weighed in on risks and security concerns around Internet of things (IoT).
Less than one in five respondents affirmed that they are confident in having eliminated IoT risks from their environment. Roughly six in ten decision-makers say that default passwords retained in IoT are a moderate or significant threat, with the same number worried about IoT device passwords stored as plain text. However, 91% of those organizations that deploy an IoT security solution are confident in their ability to address both of these IoT security challenges.
Compliance Concerns Driving Privileged Access Security Maturity
Nearly every month we learn of new or pending regulations related to information security, or of existing frameworks that are expanding in scope or sharpening their teeth. Indeed, 44% of our survey respondents say that complying with external standards is imposing a substantive impact on how they’re governing employee access. A year into its implementation, GDPR is exerting a forceful impact, with 65% saying that GDPR compliance continues to affect their business, and 58% stating that remaining GDPR compliant is more difficult than expected.
How Organizations are Addressing Privileged Access Security
So, what strategies are IT leaders implementing to address the diverse array of privileged access challenges, and what has been effective? On the positive side, roughly 93% of organizations are using at least some privileged access management (PAM) tools. However, on the downside, point solutions seem to proliferate, while gaps in crucial areas of privileged access remain unaddressed.
On average, the organizations surveyed employ four different methods for privileged credential management. These organizations seem to be getting at least some of the important password security basics right, with three quarters of them restricting the use of shared admin passwords, and 72% regularly rotating admin passwords. However, four tools for password management seems excessive—and inefficient. Especially considering that today’s best enterprise password management solutions provide fully integrated capabilities for privileged account password management, SSH key management, DevOps secrets management, application password management, privileged session management, and more.
Our report also revealed that, while most organizations have deployed secure remote access/support solutions and privileged password management solutions, only about a third of respondents had adopted endpoint privilege management solutions for either their desktop or server environments.
Organizations with three or more PAM tools voiced far more confidence in their visibility of threats and ability to detect where threats have originated from (insider, vendor, etc.). This visibility also enables organizations to more effectively address these risks. According to our research, these same organizations experience less severe security breaches and have better visibility and control than those who use manual solutions or no solution at all. Impressively, 90% of those with fully integrated PAM tools are confident they can identify specific threats from employees and vendors with privileged access. However, most organizations do not yet feel their PAM solutions are “fully integrated.”
As BeyondTrust Chief Technology Officer & Chief Information Security Officer, Morey Haber, summed it up, “Organizations need to accept that the way to mitigate risks is by managing privileged accounts through integrated technology and automated processes that not only save time, but also provide visibility across the environment. By implementing cybersecurity policies and solutions that also speed business efficiency, versus putting roadblocks in users’ way, organizations can begin to seriously tackle the privileged access problem.”
Next Steps to Reduce Privilege-Related Risks
Download the Privileged Access Threat Report 2019 now and start applying insights from your peers to close security gaps and boost protection across your entire enterprise.