Hidden IT Security Risk: Privileged User Access - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Security & Risk Strategy
11:05 AM

Hidden IT Security Risk: Privileged User Access

A Ponemon report finds the security threats around privileged user access and the resulting insider threat risks appear to be growing. Here's what IT should be keeping an eye on.

8 Steps To Building A Successful Cyber-Security Career
8 Steps To Building A Successful Cyber-Security Career
(Click image for larger view and slideshow.)

Individuals with the most access to high-value information assets can be a serious insider risk for businesses, according to a Ponemon study sponsored by Forcepoint.

The survey of 704 privileged users included database administrators, network engineers, IT security practitioners, and cloud custodians. The study incorporated three years of research findings, and revealed these individuals often use their rights inappropriately and put their organizations' sensitive information at risk.

The report found 58% of IT operations and security managers believe their organizations are unnecessarily granting access to individuals beyond their roles or responsibilities -- with the vast majority (91%) predicting the risk of insider threats will continue to grow or stay the same.

This finding is up slightly since 2011 when 86% of respondents were concerned about the threat, but a majority of those surveyed reported that only 10% or less of their budget is dedicated to addressing the insider threat challenge.

(Image: Danil Melekhin/iStockphoto)

(Image: Danil Melekhin/iStockphoto)

The overall impact of the risk caused by privileged user abuse or misuse of IT resources on access governance processes has increased significantly to 32% of respondents in this year's study, up from 19% of respondents in the 2011 survey.

According to 79% of respondents, privileged access rights are required to complete their current job assignments, though 21% of those surveyed reported that they do not need privileged access to do their jobs.

That group cited two primary reasons for having it. The first is that everyone at their level has privileged access even if it is not required to perform a job assignment. The second is the IT organization failing to revoke these rights when these employees changed their position.

Forty percent of respondents report that business unit managers are most responsible for conducting privileged user role certification, an increase from 36% in 2014 and 32% in 2011.

However, the ability to keep pace with access change requests is getting worse, with 61% of respondents saying they struggle to keep pace with the number of access change requests that come in on a regular basis, up from 53% in 2011.

[Read more about new cyber-security standards in the banking industry.]

Other issues include the length of time it takes to deliver access to privileged users -- up to 47% in 2016 from 32% in 2011 -- and the lack of a consistent approval process.

To make matters worse, organizations have difficulty in actually knowing if an action taken by an insider is truly a threat, though the report also revealed government organizations are more confident that they have enterprise-wide visibility for privileged user access.

The report noted:

Because security tools yield more data than can be reviewed in a timely fashion and behavior involved in the incident is consistent with the individual's role and responsibility. Monitoring and reviewing of log files, security information and event management (SIEM) and manual oversight are the primary steps taken to determine if an action taken by an insider is truly a threat.

This lack of visibility continues to hinder the ability to determine if users are complying with policies, with 39% of respondents lacking confident that they have the enterprise-wide visibility for privileged user access and can determine if users are compliant with policies. In addition, 18% reported that they were very confident they have this visibility.

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Author
8/30/2016 | 10:16:47 PM
Re: risky rewards
Indeed.  My reaction here is that, while the exact data/statistics are interesting and potentially helpful, Ponemon's overall message here in this study is one that I think we all already knew.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll