Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Failure to Manage Privileged User Access Challenges Efforts to Address Insider Threats

Tucked inside Verizon’s massive 2014 Data Breach Investigations Report are these numbers: 11,698 and 112.

Tucked inside Verizon’s massive 2014 Data Breach Investigations Report are these numbers: 11,698 and 112.

Those figures, respectively, represent the number of incidents the firm examined in 2013 where insiders used organizational resources maliciously or without approval, as well as the number of those incidents that resulted in confirmed data loss. For all the awareness of insider threats, organizations are still faced with the reality of employees doing things that they shouldn’t.

Yet according to a new study from the Ponemon Institute sponsored by Raytheon, the corporate world is doing a mediocre job of staying on top of user access and privileges. Forty-nine percent of respondents said they do not have policies for assigning privileged user access. In addition, two of the biggest challenges cited in the study are having enough contextual information provided by security tools (69 percent) and security tools providing too many false positives (56 percent). Organizations are also struggling with enforcing access rights for privileged users.

Forty-two percent said they were not confident their organization has the enterprise-wide visibility to determine if privileged users are compliant with policies. Just 34 percent described themselves as either “confident” or “very confident.”

“The results of this survey should serve as a wakeup call to every executive with responsibility for protecting company or customer sensitive data,” said Jack Harrington, vice president of Cybersecurity and Special Missions, Raytheon Intelligence Information and Services, in a statement. “While the problem is acutely understood, the solutions are not.”

The news is not all bad however. Slightly more organizations use well-defined policies that are centrally controlled by corporate IT (35 percent) than in 2011 (31 percent). There was also a drop off in the use of ad-hoc approaches to assigning privileged user access.

“The biggest problem is still keeping pace with the number of access change requests that come in on a regular basis (an increase from 53 percent to 62 percent),” according to the Ponemon study. “However, two problems have increased significantly. These are the burdensome process for dealing with business users requesting access (from 23 percent to 35 percent of respondents) and it takes too long to deliver access to privileged users (32 percent to 44 percent).”

This problem leads to another concern – the loss of business and customer information. According to the respondents, 56 percent said general business information was most at risk due to a lack of access controls for privileged users, while 49 percent named customer data as being at risk. Fears about corporate intellectual property jumped from 12 percent in 2011 to 33 percent.  

Increasingly, business managers are becoming involved in granting privileged access and conducting user role certification, the study found. Fifty-one percent said it is the business user manager who most often handles access requests, which is an eight percent increase from 2011. Fifty-seven percent believe no background checks are performed in most organizations before privileged credentials are issued.

According to the survey, mobile applications were the most widely cited type of application considered to be at risk in their organizations due to the lack of proper access governance and control. Social media applications and cloud applications were the second and third most cited.

“Our goal is to also help organizations understand that good people can make mistakes and put sensitive data at risk,” said Harrington. “Even a well-intentioned, seasoned, privileged user with wide access to a network poses great risks because they are high-value targets to corporate ‘hacktivists’ and persistent adversaries eager to penetrate a company’s defenses.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...