Privileged access. Privileged users. These words should make us all uncomfortable at this point. While IT, management and users are all bombarded with and distracted by daily news of new malware attacks or software vulnerabilities, the more serious threat to network security and data integrity continues quietly: insider threats. Whether the initial intent is malicious or not, once the breach occurs, even if it is accidental, the damage is done.
So-called privileged users are a big part of the problem. Whether “privileged” because they are power users of some sort or have reached that rank through a different path, or are “privileged” because their access was never restricted through an oversight, the temptation to access data not necessary to their daily tasks proves too tempting to users on a regular basis. IT is not exempt from that group, either. Results from BeyondTrust’s recent survey, “Privilege Gone Wild,” for example, show that in many companies, controls on access to data are still lacking, or easily circumvented. The responses from 265 IT decision makers across a variety of industries are disheartening:
- 44 percent of employees have access rights that are not necessary to their current role.
- 28 percent have retrieved information not relevant to their job.
- 80 percent of respondents believe that it’s at least somewhat likely that employees access sensitive or confidential data out of curiosity.
- Over three-quarters of respondents say the risk to their organization caused by the insecurity of privileged users will increase over the next few years.
Among those who indicated that they had accessed information not necessary for their jobs, the specific data included financial reports, salary details, HR data, personnel documents and R&D plans.
Of the two-thirds who indicated that their companies do have access controls in place, more than half said they could get around them. And if these survey respondents can get around the controls, we can safely assume that the rest of the company can, as well.
In the company’s release on the survey results, EVP of Product Strategy at BeyondTrust Brad Hibbert said, “Allowing any employee unfettered access to non-essential company data is both unnecessary and dangerous and should be an issue that is resolved quickly. The insider threat has always been a vulnerability we take very seriously at BeyondTrust and it’s our goal to help customers combat this growing problem.”
Looks like the need for steady attention to this situation isn’t going away any time soon. Remember, 76 percent of respondents said that the privileged user risk to their companies would increase over the next few years. That’s “increase,” not “decrease.”
This data access issue is one of the few where policies are not more important than multi-pronged technological controls. For more on the key steps in locking down internal vulnerabilities due to privileged user access, also see “Protecting Data from the Inside Out,” which takes you through the case for:
- Building security directly into the business process, rather than the infrastructure
- Automating privileged identities and activities, which is key for compliance reporting
- Identifying all privileged accounts (this should actually be the first item on the list, in order to assess risk and prioritize system changes)
- Securing embedded application accounts, one way that users are circumventing access controls without leaving a trail
- Establishing best practices, also known as enforced data use policies – from password policies to use of third-party data storage tools