Hidden IT Security Risk: Privileged User Access - InformationWeek
IoT
IoT
IT Leadership // Security & Risk Strategy
News
8/29/2016
11:05 AM
50%
50%

Hidden IT Security Risk: Privileged User Access

A Ponemon report finds the security threats around privileged user access and the resulting insider threat risks appear to be growing. Here's what IT should be keeping an eye on.

8 Steps To Building A Successful Cyber-Security Career
8 Steps To Building A Successful Cyber-Security Career
(Click image for larger view and slideshow.)

Individuals with the most access to high-value information assets can be a serious insider risk for businesses, according to a Ponemon study sponsored by Forcepoint.

The survey of 704 privileged users included database administrators, network engineers, IT security practitioners, and cloud custodians. The study incorporated three years of research findings, and revealed these individuals often use their rights inappropriately and put their organizations' sensitive information at risk.

The report found 58% of IT operations and security managers believe their organizations are unnecessarily granting access to individuals beyond their roles or responsibilities -- with the vast majority (91%) predicting the risk of insider threats will continue to grow or stay the same.

This finding is up slightly since 2011 when 86% of respondents were concerned about the threat, but a majority of those surveyed reported that only 10% or less of their budget is dedicated to addressing the insider threat challenge.

(Image: Danil Melekhin/iStockphoto)

(Image: Danil Melekhin/iStockphoto)

The overall impact of the risk caused by privileged user abuse or misuse of IT resources on access governance processes has increased significantly to 32% of respondents in this year's study, up from 19% of respondents in the 2011 survey.

According to 79% of respondents, privileged access rights are required to complete their current job assignments, though 21% of those surveyed reported that they do not need privileged access to do their jobs.

That group cited two primary reasons for having it. The first is that everyone at their level has privileged access even if it is not required to perform a job assignment. The second is the IT organization failing to revoke these rights when these employees changed their position.

Forty percent of respondents report that business unit managers are most responsible for conducting privileged user role certification, an increase from 36% in 2014 and 32% in 2011.

However, the ability to keep pace with access change requests is getting worse, with 61% of respondents saying they struggle to keep pace with the number of access change requests that come in on a regular basis, up from 53% in 2011.

[Read more about new cyber-security standards in the banking industry.]

Other issues include the length of time it takes to deliver access to privileged users -- up to 47% in 2016 from 32% in 2011 -- and the lack of a consistent approval process.

To make matters worse, organizations have difficulty in actually knowing if an action taken by an insider is truly a threat, though the report also revealed government organizations are more confident that they have enterprise-wide visibility for privileged user access.

The report noted:

Because security tools yield more data than can be reviewed in a timely fashion and behavior involved in the incident is consistent with the individual's role and responsibility. Monitoring and reviewing of log files, security information and event management (SIEM) and manual oversight are the primary steps taken to determine if an action taken by an insider is truly a threat.

This lack of visibility continues to hinder the ability to determine if users are complying with policies, with 39% of respondents lacking confident that they have the enterprise-wide visibility for privileged user access and can determine if users are compliant with policies. In addition, 18% reported that they were very confident they have this visibility.

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/30/2016 | 11:41:53 PM
Re: risky rewards
We're reading more of what we already knew, but what should be done about it? Taking away access can be seen in many a negative light by employees with access.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/30/2016 | 10:16:47 PM
Re: risky rewards
Indeed.  My reaction here is that, while the exact data/statistics are interesting and potentially helpful, Ponemon's overall message here in this study is one that I think we all already knew.
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/29/2016 | 12:52:13 PM
risky rewards
These findings aren't surprising at all. Some users who work at a level that typically gets higher access aren't actually equipped to manage that risk. They may have knowledge gaps in understanding of cyber security best practices.
Register for InformationWeek Newsletters
White Papers
Current Issue
Cybersecurity Strategies for the Digital Era
At its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll