Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

User Access Given Carte Blanche Still a Problem, HP Study Says

A recent study from HP and the Ponemon Institute surveyed more than 5,500 IT professionals, from operations to security management, to gauge potential problems with user access and policy enforcement. The results? Unchecked access to data is still an issue, no matter what segment of the business world you’re looking at.

A recent study from HP and the Ponemon Institute surveyed more than 5,500 IT professionals, from operations to security management, to gauge potential problems with user access and policy enforcement. The results? Unchecked access to data is still an issue, no matter what segment of the business world you’re looking at.

Employee Access to Company Data“…increased threats to sensitive and confidential workplace data are created by a lack of control and oversight of privileged users, including database administrators, network engineers and IT security practitioners,” explains the top takeaway from HP’s commissioned research.

The survey revealed that more than half of the respondents said they are likely to be given access to company data beyond the scope of their job requirements. For example, a network administrator with access to HR data such as payroll; or a database administrator with unrestricted access to a company’s customer list.

“Customer information and general business data are at the highest risk, and the most threatened applications included mobile, social media and business unit specific applications,” the report notes.

In addition, more than 60-percent of those with access to data said they would examine it out of curiosity, not as a job function.

“This study spotlights risks that organizations don’t view with the same tenacity as critical patches, perimeter defense and other security issues, yet it represents a major access point to sensitive information,” said Tom Reilly, vice president and general manager, Enterprise Security Products, HP.

“The results clearly emphasize the need for better access policy management, as well as advanced security intelligence solutions, such as identity and privileged user context, to improve core security monitoring.”

Despite the issues with user access and control, most of those who took part in HP’s research said they have something in place policy-wise to control access. Yet, granular control and visibility were still a problem depending on the solution deployed.

Twenty-seven percent say their organizations use technology-based identity and access controls to detect the sharing of system administration access rights or root-level access rights by privileged users, and 24 percent say they combine technology with process. However, 15 percent admit access is not really controlled and 11 percent say they are unable to detect sharing of access rights.

Advertisement. Scroll to continue reading.

The main issues are enforcement, and change request tracking, along with policy issues, such as inconsistent approval processes for user access. Moreover, cost is also a factor, with many citing the expense of change request and overall user monitoring. Still, the favorite solution deployed for controlling these issues were all SIEM related.

The potential for privileged access abuse varies from country to country based on responses, with France, Hong Kong, and Italy having the greatest potential, and Germany, Japan and Singapore having the least, the report noted.

Naturally, HP offers technology to address these problems, along with other vendors in the market. While the research is important, it’s still a best bet to examine all of the various offerings when it comes to controlled access and policy enforcement, and pick the one that matches you organization’s needs and budget.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.