Vulnerability Management

Companies fail at enforcing security of privileged accounts, report says

More than half of companies are failing when it comes to the proper enforcement of privileged credential controls.

The 2016 State of Privileged Account Management (PAM) report conducted by Thycotic and Cybersecurity Ventures queried more than 500 IT security professional participants from around the globe and found that while 80 percent of organizations considered PAM security a high priority, 70 percent of them do not require approval for creating new privileged accounts.

The organizations were graded on a benchmark scoring methodology using an A-F scale.

The study also found that 50 percent of the organizations do not audit privileged account activity, 40 percent organizations use the same security for privileged accounts as standard accounts, and 66 percent still rely on manual methods to manage privileged accounts.

To make matters worse, 30 percent of organizations have not communicated the importance of following IT security policies to their stakeholders.

To address these issues, researchers recommend that IT professionals educate key stakeholders about the urgency and value of privileged account and access management security, discover where privileged accounts are located, and automate the management and security of them.

Researchers also recommended that IT departments adopt and implement security policies and provide greater visibility in PAM CISOs while helping to assure the ability to can demonstrate compliance with audits and policies affecting privileged account credentials.

The biggest inhibitor is that many companies don't understand that this is a major problem, Thycotic head of global strategic alliances Joseph Carson told via emailed comments.

“Many organizations do not realize the extent and existing landscape of privileged accounts and they trust their spreadsheets and the people who keep them manually updated,” Carson said. “As the Internet of Things (IoT) quickly expands to almost every device having a privileged account, the number of privileged accounts gap from the manual method become inefficient and outdated.”

Carson said cybersecurity clearly is evolving and that as organizations are forced to change, properly protecting identities and privileged accounts will be key to keep organizations from becoming cyber victims.

Many organizations have built bigger and better walls as breaches continue to occur because attackers simply obtain access to privileged credentials and walk across their defenses undetected, he said.

“What can be done to change this is to help organizations understand the risks, educate businesses on the key importance of privileged accounts, discover the privileged landscape of their company and better educate them on key methods to protect them,” Carson said. “Sometimes many of these findings seem quite common sense as best practices, but until they are required, organizations continue to fail.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.