New Study Reveals a Major Security Gap for Organizations
Brought to you by The VAR Guy
The results of BeyondTrust’s annual Privilege Benchmarking Study are in and reveal a growing disparity between those organizations that have effective privilege access management strategies in place and those that still have a long way to go.
The study surveyed over 500 senior IT, IS, legal and compliance experts about their privileged access management practices. Their responses were divided into two tiers based on industry best practices, with top-tier companies distinguishing themselves as far better equipped to mitigate the impact from data breaches than their less prepared peers.
Despite the rash of high profile breaches involving abused or misused privileges garnering headlines recently, there has not been much progress in control over privileged access, says Scott Lang, BeyondTrust’s director of privilege strategies. “There’s still this widening gap,” Lang told The VAR Guy, “a growing disparity between people who do it right and those who don’t.”
The most surprising finding for Lang was that 52 percent of companies in the lower tier reported that they “just know” what their risks are and have no analytics, reporting or measurement to clearly identify the biggest vulnerabilities or give a good idea of their risk profiles. Top-tier companies are also more likely to actually conduct vulnerability assessments; 91 percent do, compared to just 20 percent of bottom-tier organizations.
Lang says these organizations are lagging behind in part because of a constraint in resources and an inaccurate picture of the difficulty implementing a privileged access management platform entails. “Lots of organizations equate privileged access management with identity access management, which is huge and complex,” he says, “so there’s guilt by association.”
In addition, the headlines these days seem to focus on suspected hacking by third-party nation states like North Korea and Russia, leading many to assume incorrectly that the biggest privileged access threats posed to organizations are external. Lang says that unfortunately, he thinks we’ll need to see another Edward Snowden-style insider breach causing irreparable harm before that fallacy is corrected.
For channel partners, Lang says the key takeaway is that the findings reveal an opportunity for VARs to provide a critical service to their customers while increasing their own margins. Of the bottom tier companies, only nine percent carry an enterprise grades solution, and one-third of them have no platform to manage privileged access. This is compared to 78 percent of the top tier organizations that utilize such a solution. Resellers and service providers can fill a gap in the market by providing one platform that integrates management and reporting.
Another widening gap the report identifies is between admins’ ability to see when they need to take action on a potentially risky session and their ability to actually implement defensive action while the session is in progress. Lang says only three percent of bottom-tier organizations appear to have this capability.
Other findings revealed that companies in the top tier had far more advanced password and credential management practices in place, a critical element in a well-crafted organizational cyberdefense. “With 63 percent (2016 Verizon DBIR) of confirmed data breaches involving weak, default or stolen passwords, it’s never been more important to apply discipline and accountability over enterprise credentials.” Despite this, only a quarter of bottom-tier respondents reported a centralized password management policy compared with 92 percent of top-tier companies.
Based on the results of the study, BeyondTrust developed five top recommendations for organizations and channel partners hoping to decrease their privileged access control risks:
- Implement granular least privilege policies to balance security with productivity. Elevate applications, not users.
- Use vulnerability assessments to achieve a holistic view of privileged security. Evaluate individual application and asset risk before granting privileged access.
- Reinforce enterprise password hygiene with policy and an overall solution. As the first line of defense, establish a policy that requires regular password rotation and centralizes the credential management process.
- Improve monitoring of privileged sessions. Real-time monitoring and termination capabilities are vital to mitigating a data breach as it happens, rather than simply investigating after the incident.
- Integrate solutions across deployments to reduce cost and complexity, and improve results. Simplify privileged access management with tools that span multiple environments and integrate with other security systems, leaving fewer gaps.
“This study confirms one of the unfortunate truths about data breaches today – namely, that many of them are preventable using relatively simple means,” said Kevin Hickey, President and CEO at BeyondTrust. “Companies that employ best practices and use practical solutions to restrict access and monitor conditions are far better equipped to handle today’s threat landscape.”