Keys to the kingdom: 70pc of companies would fail an access control audit

13 Mar 2018

Privileged accounts can unlock organisations’ most crucial information. Image: Yaping/Shutterstock

Most organisations are not protecting their privileged credentials well enough.

A major new global study by IT security solutions provider Thycotic reveals major risks and compliance gaps in how organisations manage and secure their privileged accounts and access to sensitive infrastructure, data and systems.

The Global 2018 State of Privileged Access Management Risk & Compliance report shows that many organisations need to improve security controls to protect their most crucial assets.

Nearly 500 global IT security professionals answered a comprehensive survey for the report.

A prime target for crime

Privileged access accounts are highly prized by cyber-criminals and malicious insider threats, as they often lead to valuable and confidential information, including customer identities and financial reports.

While 80pc of organisations surveyed say privileged access management (PAM) security is a high priority, and 60pc say it is required to demonstrate compliance with government regulations, most are failing to act to protect their accounts effectively.

The report notes that many processes around PAM are poorly executed. Failing to implement consistent processes on access control naturally presents a greater risk to companies, as does neglecting to actually examine and audit what private accounts your organisation uses and for what purpose. 55pc of companies fail to revoke access to privileged accounts once an employee no longer works there and 40pc do nothing at all to discover privileged accounts.

Poor controls and little tracking

Insufficient controls are also a major issue when it comes to PAM security. The absence of audit logs, which regularly monitor activity, means there is little a company can do in terms of analysis and mitigation in the event of an incident.

73pc of organisations don’t require two-factor authentication for privileged accounts and 63pc do not track failed login attempts for said accounts. With the volume of attacks related to third parties increasing, the report nonetheless shows that access is not being limited – 70pc of organisations fail to limit third-party access to third-party accounts.

Poor organisational response

Joseph Carson, chief security scientist at Thycotic, told Siliconrepublic.com: “In terms of the findings of the survey, for me, the results were much worse than expected.

“While most organisations acknowledge the importance of privileged access management in their cybersecurity posture, the report surprisingly finds that most are actually failing to protect and secure their privileged accounts.

“This then raises many questions around the auditing process: how many are actually auditing? Are the regulatory bodies – which organisations admit they need to comply with – doing enough to enforce these standards, or have they themselves just become a simple ‘check box’ system where organisations are allowed to call themselves compliant in order to maintain the status quo?”

Carson concluded by urging organisations to learn how to measure their security effectively, and begin to let go of legacy systems and technologies in order to invest for the future.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com