Tucked inside Verizon’s massive 2014 Data Breach Investigations Report are these numbers: 11,698 and 112.
Those figures, respectively, represent the number of incidents the firm examined in 2013 where insiders used organizational resources maliciously or without approval, as well as the number of those incidents that resulted in confirmed data loss. For all the awareness of insider threats, organizations are still faced with the reality of employees doing things that they shouldn’t.
Yet according to a new study from the Ponemon Institute sponsored by Raytheon, the corporate world is doing a mediocre job of staying on top of user access and privileges. Forty-nine percent of respondents said they do not have policies for assigning privileged user access. In addition, two of the biggest challenges cited in the study are having enough contextual information provided by security tools (69 percent) and security tools providing too many false positives (56 percent). Organizations are also struggling with enforcing access rights for privileged users.
Forty-two percent said they were not confident their organization has the enterprise-wide visibility to determine if privileged users are compliant with policies. Just 34 percent described themselves as either “confident” or “very confident.”
“The results of this survey should serve as a wakeup call to every executive with responsibility for protecting company or customer sensitive data,” said Jack Harrington, vice president of Cybersecurity and Special Missions, Raytheon Intelligence Information and Services, in a statement. “While the problem is acutely understood, the solutions are not.”
The news is not all bad however. Slightly more organizations use well-defined policies that are centrally controlled by corporate IT (35 percent) than in 2011 (31 percent). There was also a drop off in the use of ad-hoc approaches to assigning privileged user access.
This problem leads to another concern – the loss of business and customer information. According to the respondents, 56 percent said general business information was most at risk due to a lack of access controls for privileged users, while 49 percent named customer data as being at risk. Fears about corporate intellectual property jumped from 12 percent in 2011 to 33 percent.
Increasingly, business managers are becoming involved in granting privileged access and conducting user role certification, the study found. Fifty-one percent said it is the business user manager who most often handles access requests, which is an eight percent increase from 2011. Fifty-seven percent believe no background checks are performed in most organizations before privileged credentials are issued.
According to the survey, mobile applications were the most widely cited type of application considered to be at risk in their organizations due to the lack of proper access governance and control. Social media applications and cloud applications were the second and third most cited.
“Our goal is to also help organizations understand that good people can make mistakes and put sensitive data at risk,” said Harrington. “Even a well-intentioned, seasoned, privileged user with wide access to a network poses great risks because they are high-value targets to corporate ‘hacktivists’ and persistent adversaries eager to penetrate a company’s defenses.”