PHOENIX, August 24, 2016 – BeyondTrust, the leading cyber security company dedicated to preventing privilege misuse and stopping unauthorized access, today unveiled the results of its definitive Privilege Benchmarking Study based on a worldwide survey of IT professionals. The study demonstrates a widening gulf between organizations that adhere to best practices for privileged access management.
Over 500 senior IT, IS, legal and compliance experts were asked about their privileged access management practices. Their responses were divided into two tiers based on industry best practices, with top-tier companies distinguishing themselves as far better prepared to mitigate the impact from data breaches. A summary of the findings is included below.
Password and Credential Management: Only 14 percent regularly cycle their passwords, leaving systems exposed to breaches
With 63 percent (2016 Verizon DBIR) of confirmed data breaches involving weak, default or stolen passwords, it’s never been more important to apply discipline and accountability over enterprise credentials.
Session Monitoring: Just 3 percent watch/terminate sessions in real time – how do you stop a possible breach in time?
When it comes to real-time monitoring and restriction of access, the top-tier companies are far ahead.
Evaluation of Risk: Amazingly, 52 percent “just know” what the risks, but aren’t doing enough about it
Perhaps the starkest contrast between top-tier and bottom-tier organizations can be illustrated in how – or whether – risk is scored in determining application privileges.
Despite the risks of leaving users and systems with unmanaged access to network resources, only 9 percent of bottom-tier companies have an enterprise solution in place for managing privileged access, and more than one-third do nothing at all. Among the top-tier companies, however, 78 percent have an enterprise solution in place.
Federal Government Vulnerable to Breaches
The survey also found that despite a high level of awareness of the threat, federal government agencies leave themselves open to attack. Seventy-two percent of government responders believe that there would be a high risk to general business and mission information if organizations lacked proper access control for privileged users. The federal government has implemented mandates such as FISMA and CSIP to address various attack vectors within agency networks. Yet, respondents also report that 20 percent of users have more privileges than they need. These results highlight an opportunity for improvement in adopting processes and technologies to further secure privilege access in Federal agencies.
What Organizations Can Do to Close the Gap Between Their Practices and Best Practices
For organizations looking to reduce the risk of a damaging data breach as a result of privilege abuse or misuse, BeyondTrust has developed five recommendations based on the Privilege Benchmarking Study:
Be granular: Implement granular least privilege policies to balance security with productivity. Elevate applications, not users.
Know the risk: Use vulnerability assessments to achieve a holistic view of privileged security. Never elevate an application’s privileges without knowing if there are known vulnerabilities.
Augment technology with process: Reinforce enterprise password hygiene with policy and an overall solution. As the first line of defense, establish a policy that requires regular password rotation and centralizes the credential management process.
Take immediate action: Improve real-time monitoring of privileged sessions. Real-time monitoring and termination capabilities are vital to mitigating a data breach as it happens, rather than simply investigating after the incident.
Close the gap: Integrate solutions across deployments to reduce cost and complexity, and improve results. Avoid point products that don’t scale. Look for broad solutions that span multiple environments and integrate with other security systems, leaving fewer gaps.
“This study confirms one of the unfortunate truths about data breaches today – namely, that many of them are preventable using relatively simple means,” said Kevin Hickey, President and CEO at BeyondTrust. “Companies that employ best practices and use practical solutions to restrict access and monitor conditions are far better equipped to handle today’s threat landscape.
Privilege Benchmarking Study
For more information, privilege-benchmarking-study-2016, download the Privilege Benchmarking Study.