Over 500 senior IT, IS, legal and compliance experts were asked about their privileged access management practices. Their responses were divided into two tiers based on industry best practices, with top-tier companies distinguishing themselves as far better prepared to mitigate the impact from data breaches. A summary of the findings is included below.
Password and Credential Management: Only 14 percent regularly cycle their passwords, leaving systems exposed to breaches
With 63 percent (2016 Verizon DBIR) of confirmed data breaches involving weak, default or stolen passwords, it’s never been more important to apply discipline and accountability over enterprise credentials.
· Top-tier companies were much more likely to have a centralized password management policy – 92 percent of them do, in contrast with just 25 percent of bottom-tier organizations.
· Password cycling is also much more common among top-tier businesses; 76 percent of top-tiers frequently have passwords changed, whereas only 14 percent of bottom-tiers do.
· Credential management formed another point of distinction, with nearly three-quarters (73 percent) identifying themselves as efficient in this area, compared to 36 percent of the bottom-tier companies.
Session Monitoring: Just 3 percent watch/terminate sessions in real time – how do you stop a possible breach in time?
When it comes to real-time monitoring and restriction of access, the top-tier companies are far ahead.
· More than two-thirds of top-tier companies (71 percent) can monitor privileged user sessions, and 88 percent can restrict access with a measure of granularity.
· Among bottom-tiers, fewer than half (49 percent) can monitor sessions, and only 37 percent have granular capabilities to restrict access.
Evaluation of Risk: Amazingly, 52 percent “just know” what the risks, but aren’t doing enough about it
Perhaps the starkest contrast between top-tier and bottom-tier organizations can be illustrated in how – or whether – risk is scored in determining application privileges.
· Among top-tier organizations, fully 9 out of 10 grant privileges to apps rather than users. Among bottom-tier companies, this falls to 46 percent.
· While it’s vital to evaluate the risks posed by individual apps and systems, only 6 percent of bottom-tier companies have tools that provide this capability – and, shockingly, 52 percent “just know” what the risks are. Meanwhile, more than half of top-tier companies (57 percent) can make these assessments.
· Top-tier companies are also more likely to actually conduct vulnerability assessments; 91 percent do, compared to just 20 percent of bottom-tier organizations.
Despite the risks of leaving users and systems with unmanaged access to network resources, only 9 percent of bottom-tier companies have an enterprise solution in place for managing privileged access, and more than one-third do nothing at all. Among the top-tier companies, however, 78 percent have an enterprise solution in place.
Federal Government Vulnerable to Breaches
The survey also found that despite a high level of awareness of the threat, federal government agencies leave themselves open to attack. Seventy-two percent of government responders believe that there would be a high risk to general business and mission information if organizations lacked proper access control for privileged users. The federal government has implemented mandates such as FISMA and CSIP to address various attack vectors within agency networks. Yet, respondents also report that 20 percent of users have more privileges than they need. These results highlight an opportunity for improvement in adopting processes and technologies to further secure privilege access in Federal agencies.
What Organizations Can Do to Close the Gap Between Their Practices and Best Practices
For organizations looking to reduce the risk of a damaging data breach as a result of privilege abuse or misuse, BeyondTrust has developed five recommendations based on the Privilege Benchmarking Study:
· Be granular: Implement granular least privilege policies to balance security with productivity. Elevate applications, not users.
· Know the risk: Use vulnerability assessments to achieve a holistic view of privileged security. Never elevate an application’s privileges without knowing if there are known vulnerabilities.
· Augment technology with process: Reinforce enterprise password hygiene with policy and an overall solution. As the first line of defense, establish a policy that requires regular password rotation and centralizes the credential management process.
· Take immediate action: Improve real-time monitoring of privileged sessions. Real-time monitoring and termination capabilities are vital to mitigating a data breach as it happens, rather than simply investigating after the incident.
· Close the gap: Integrate solutions across deployments to reduce cost and complexity, and improve results. Avoid point products that don’t scale. Look for broad solutions that span multiple environments and integrate with other security systems, leaving fewer gaps.
“This study confirms one of the unfortunate truths about data breaches today – namely, that many of them are preventable using relatively simple means,” said Kevin Hickey, President and CEO at BeyondTrust. “Companies that employ best practices and use practical solutions to restrict access and monitor conditions are far better equipped to handle today’s threat landscape.”