Privileged Users Abusing Data Access

Kachina Shaw
Slide Show

Straight A’s for Determining Risk and Avoiding the Big F

Privileged access. Privileged users. These words should make us all uncomfortable at this point. While IT, management and users are all bombarded with and distracted by daily news of new malware attacks or software vulnerabilities, the more serious threat to network security and data integrity continues quietly: insider threats. Whether the initial intent is malicious or not, once the breach occurs, even if it is accidental, the damage is done.

So-called privileged users are a big part of the problem. Whether “privileged” because they are power users of some sort or have reached that rank through a different path, or are “privileged” because their access was never restricted through an oversight, the temptation to access data not necessary to their daily tasks proves too tempting to users on a regular basis. IT is not exempt from that group, either. Results from BeyondTrust’s recent survey, “Privilege Gone Wild,” for example, show that in many companies, controls on access to data are still lacking, or easily circumvented. The responses from 265 IT decision makers across a variety of industries are disheartening:

  • 44 percent of employees have access rights that are not necessary to their current role.
  • 28 percent have retrieved information not relevant to their job.
  • 80 percent of respondents believe that it’s at least somewhat likely that employees access sensitive or confidential data out of curiosity.
  • Over three-quarters of respondents say the risk to their organization caused by the insecurity of privileged users will increase over the next few years.

Among those who indicated that they had accessed information not necessary for their jobs, the specific data included financial reports, salary details, HR data, personnel documents and R&D plans.

Of the two-thirds who indicated that their companies do have access controls in place, more than half said they could get around them. And if these survey respondents can get around the controls, we can safely assume that the rest of the company can, as well.

In the company’s release on the survey results, EVP of Product Strategy at BeyondTrust Brad Hibbert said, “Allowing any employee unfettered access to non-essential company data is both unnecessary and dangerous and should be an issue that is resolved quickly. The insider threat has always been a vulnerability we take very seriously at BeyondTrust and it’s our goal to help customers combat this growing problem.”

Looks like the need for steady attention to this situation isn’t going away any time soon. Remember, 76 percent of respondents said that the privileged user risk to their companies would increase over the next few years. That’s “increase,” not “decrease.”

This data access issue is one of the few where policies are not more important than multi-pronged technological controls. For more on the key steps in locking down internal vulnerabilities due to privileged user access, also see “Protecting Data from the Inside Out,” which takes you through the case for:

  • Building security directly into the business process, rather than the infrastructure
  • Automating privileged identities and activities, which is key for compliance reporting
  • Identifying all privileged accounts (this should actually be the first item on the list, in order to assess risk and prioritize system changes)
  • Securing embedded application accounts, one way that users are circumventing access controls without leaving a trail
  • Establishing best practices, also known as enforced data use policies – from password policies to use of third-party data storage tools


Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Oct 23, 2013 5:38 PM Jessica Dodson Jessica Dodson  says:
"80 percent of respondents believe that it’s at least somewhat likely that employees access sensitive or confidential data out of curiosity." Wow! That's a pretty remarkable response. I'd be interested to know what comes from that "peeking." Do employees do something with that data or just go "oh, that's interesting" and call it a day? Reply
Oct 24, 2013 3:45 AM Gaffe Gaffe  says:
Why does no one mention that it is expensive to administer and reduces employee efficiency tremendously when you restrict data access? An employee that needs to request access constantly will be much less efficient. And unless you have full time security people approving access requests 24-7, it introduces delays into everything you do. I'm not saying data shouldn't be locked down or protected, but I worked in a few places in government where this was done in very inefficient ways. We would just be tracking and following up on requests for weeks and justifying and explaining to approvers what we are doing. Many times these managers made decisions randomly because they are not involved in our project and had no idea how to determine what was neccessary. Also they had no skin in the game - they approve access for everyone, but are not responsible for any project so it didn't matter to them how much delay they introduced into your process. Reply
Nov 6, 2013 6:48 PM adminuser adminuser  says:
Edward Snowden. I call 'em "Admin Users" - power of the admin with knowledge of the basic user. What could go wrong? Reply
Feb 19, 2014 8:16 PM Mary Mary  says:
what do you do when you know someone working in security is abusing their access privileges, e.g. looking up your personal details to find out your age and address? who polices the security team, and how do you go about tackling this issue? Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.