70 percent of companies would fail an access control audit
A new study into privileged access management from account protection specialist Thycotic shows that while over 60 percent of organizations must satisfy regulatory compliance requirements surrounding privilege credential access, a worrying 70 percent would fail an access controls audit.
Access to privileged accounts allows more rights and permissions than those given to standard business users, yet 51 percent fail to use a secure logon process for these accounts.
"Failing an audit restricts organizations from doing business, it restricts them from government access to request information or bid for contracts, in the payments sector it could hinder their operations," Joseph Carson, chief security scientist at Thycotic says. "Yet we find that many have done nothing at all in terms of implementing the controls they need. The concern is that the standards are not being enforced and there's not an underlying baseline of protection. Almost 70 percent of organizations would fail an audit if they had to do it."
Among other findings are that 62 percent of organizations fail at provisioning processes for privileged access. 73 percent fail to audit and remove test accounts or modify default accounts before moving applications to production.
70 percent of organizations fail to fully discover privileged accounts, and 40 percent do nothing at all to discover these accounts. A further concern is that 55 percent fail to revoke access after an employee leaves the business.
Carson believes these failings are due to a disconnect between the needs of security and compliance. "There's gap between the risk team and the security team, we haven't had a strong enough convergence between them. PAM affects multiple parts of a business, those that are still working in silos will continue failing in this area. This is partly IT's failure to understand the business and continuing to operate as an independent unit."
You can read more about the results in the full report available from the Thycotic website.