Too many users given access to sensitive information
Poor privileged access management practices that lead to people having too much access continue to be a critical challenge for many organizations despite significant risks of data breaches and security incidents.
A new report from technology consulting company Sila and the Ponemon Institute surveyed more than 650 North American respondents and finds 70 percent think it likely that privileged users within their organizations are accessing sensitive or confidential data for no discernible business need.
The main reason users have unnecessary access to sensitive resources is often that all users at their level are given privileged access, even if it is not required to do their jobs. According to respondents, privileged access rights also regularly remain active even after a role change (30 percent). 62 percent of participants feel it likely that their organization assigns privileged access rights that go beyond an individual’s role or responsibilities. This proliferation of access is emphasized with more than 75 percent of respondents having privileged access to three or more IT resources.
"The results of The 2019 Study on Privileged Access Security shed light on the fact that privileged access is more prevalent than people may realize. It touches every part of an organization and has far-reaching implications for an organization's business objectives as well as its security," says Tapan Shah, managing director at Sila. "Leaders need to step back and ask why individuals have the access they do, and how that aligns with the mission of their business -- unnecessary privileged access puts data, employees, customers, and the overall business at risk."
Among other findings 52 percent of organizations don't believe they have the capabilities to effectively monitor privileged user activities and 60 percent are not confident that their organization has enterprise-wide visibility for privileged user access or can determine if these users are compliant with policies.
Among the reasons for this lack of confidence are that 45 percent say they can't create a unified view of privileged access across the enterprise and 29 percent say they can’t keep up with the changes occurring to the organization's IT resources.
Over 70 percent of respondents believe that greater automation of access management processes would be the biggest benefit to their organization's overall identity and access management security posture.