Basic security hygiene dictates login credentials should never be shared. But a new survey from Centrify shows the practice is prevalent and poorly managed.
A little over half of United States-based IT leaders and a third United Kingdom-based leaders believe it would be “easy” for an ex-employee to log in and access systems or information with old passwords, Centrify found in its recent State of the Corporate Perimeter survey. Even though half of the respondents said ex-employees and contractors are “off-boarded” the day they are terminated, but it can take up to a week or more to completely remove access rights and passwords to sensitive data for those individuals.
That is a long enough time for these individuals to log back in and either steal data or sabotage systems. A few years ago, a system administrator who retaliated against the company for firing him by remotely logging in and wiping all the data off systems. And that isn’t a solo incident.
What is even more worrying is how freely access to privileged accounts for applications, systems, and network devices are being shared. The survey found 40 percent of U.K. IT leaders working for companies with over 500 employees said more than 10 percent of their staff have privileged access to data. The number jumps to 50 percent for companies with less than 500 employees, Centrify said. That’s a lot of people, and it’s unlikely they all need access to confidential and highly sensitive information.
“Giving employees elevated access to privileged accounts and the organization’s most critical data, applications systems and network devices is essentially giving them the ‘keys to the kingdom’. It’s the equivalent of providing the front door key to your house – and you’d be very, very careful who you gave that to,” said Barry Scott, CTO EMEA at Centrify.
This also fits with the security headlines. Remember that the Office of Personnel Management had many users logging in as root, and several of the people accessing the systems were not properly vetted.
Three-quarters of IT leaders in the U.S. and more than half in the U.K. said their organizations “need to do a better job” of monitoring who has access to sensitive information. Organizations are not doing a very good job of tracking who has access to key data, the survey suggested. And that includes tracking ex-employees, contractors, and other partners. About 62 percent of U.S. IT leaders believe their organization has too many privileged users.
The sharing is widespread, as 59 percent of U.S.-based respondents said they’ve shared key access with unvetted employees “at least somewhat often,” and 52 percent in the U.S. said they’ve done the same with outside contractors. The numbers were a little more reassuring with the U.K. group, at 34 percent and 32 percent, respectively. But it’s still not a good sign.
Of those two groups, 82 percent of the U.S. IT leaders and 68 percent of U.K. leaders said “it would be somewhat easy” for those individuals to gain access to key pieces of data.
Half of the 400 IT decision makers who participated in the survey were based in the United States and the other half from the United Kingdom. While there were some regional differences, the overall pattern was consistent across both groups. For example, 55 percent of IT leaders in the U.S. and 45 percent in the U.K. said their organizations have suffered a data breach. Those breaches cost the companies involved millions of dollars in damages, Centrify said.
Privileged access is part of identity management. While 92 percent of organizations in the US currently have some form of user monitoring in place, only 56 percent have privileged identity management. Nearly a third of those companies don’t have dedicated personnel auditing how those privileged accounts are being used on a weekly basis. A little over half update passwords on a regular basis.
“It’s surprising that experienced IT decision makers like this are admitting that their organizations need to do a better job of monitoring who has access to their data, despite high profile incidents like Sony, JP Morgan and Target and the knowledge that breaches can potentially cost them millions of pounds,” Scott said.