The strength of regular access reviews

However, most respondents (81 per cent) admit that they perform access reviews manually.

“Manual review is the most unreliable and time-consuming way of keeping permissions up to date,” says Joe Dibley, security researcher at Netwrix. “An email or instant message from some department head confirming access rights usually satisfies neither internal nor external auditors. Moreover, this approach increases the chance of human error — it’s too easy to forget about someone’s answer or miss the email altogether.”

Moreover, in 41 per cent of organisations, IT teams review user access rights not only manually but on their own, without involving business users at all.

“IT teams generally are not in a position to know exactly who needs what access to which IT resources. As a result, the organisation not only does fail to properly enforce least privilege, but the helpdesk is overwhelmed by requests from business users and data owners to update access rights,” comments Dibley.

The respondents who already have a dedicated tool for reviewing user access rights were then asked what they consider to be the biggest benefit of that solution. 49 per cent of them named risk reduction and 28 per cent chose time-savings.

“Automating access reviews reduces cybersecurity risks directly, by ensuring regular update of users’ rights — and indirectly as well: eliminating manual tasks frees up IT teams to focus on other critical activities, like investigating security incidents before they turn into breaches,” adds Dibley.