Third-Parties & Employees Create Major Privileged Access Organizational Threats

Employee and vendor admission to their IT systems resulting from privileged access represent major threats to organizations according to respondents in the Atlanta-based BeyondTrust’s “Privileged Access Threat Report 2019.”

The BeyondTrust study explored the visibility, control, and management IT organizations in the U.S., Europe, Middle East, and Asia-Pacific, have over employees, contractors, and third-party vendors with privileged access to their IT network.

Independent research agency Loudhouse surveyed 1,006 IT professionals across operations, IT support/helpdesk and security and compliance roles, drawn from a range of industries, including finance, manufacturing, healthcare, government, retail, and professional services.

According to the report, 64% believe they have likely had either a direct or indirect breach due to misused or abused employee access in the last 12 months, and 62% believe they have had a breach due to compromised vendor access.

The report held poor security hygiene by employees continues as a challenge for most organizations. Writing down passwords, for example, was a problem for 60% of organizations, while colleagues sharing passwords was also an issue for 58% of organizations in 2019.

Ultimately, 71% of organizations agree they would be more secure if they restricted employee device access. However, this is not usually realistic, let alone conducive to productivity.

“Both internal employees and third-party vendors need privileged access to be able to do their jobs effectively, but need this access granted in a way that doesn’t compromise security or impede productivity,” Morey Haber, chief technology officer and chief information security officer of BeyondTrust, commented. “In the face of growing threats, there has never been a greater need to implement organization-wide strategies and solutions to manage and control privileged access in a way that fits the needs of the user.”

The businesses surveyed reported an average of 182 vendors logging in to their systems weekly. At organizations with 5,000-plus employees, 23% said they have more than 500 vendors logging in regularly. This year’s report uncovered trust in vendor access is now lower than trust in employee access, with only one in four completely trusting vendors, in comparison to 37% of employees.

The report also investigated threats posed by emerging technologies. The risks associated with the Internet of Things posed a big concern for the professionals surveyed, with the visibility of logins from IoT devices revealed as the most pressing issue. Seventy-six percent remain confident they know how many IoT devices access their systems, while four in five said they know how many individual logins belong to these devices. At the same time, 47% of security decision makers perceive at least a moderate risk from bring-your-own-device policies.

“As the vendor ecosystem grows, the threat landscape evolves and users should be granted specific role-based privileges. Organizations need to accept that the way to mitigate risks is by managing privileged accounts through integrated technology and automated processes that not only save time, but also provide visibility across the environment,” Haber added. “By implementing cybersecurity policies and solutions that also speed business efficiency, versus putting roadblocks in users’ way, organizations can begin to seriously tackle the privileged access problem.”

The report did show that some organizations are managing these risks with a privileged access management solution. From the research, these same organizations experience less severe security breaches and have better visibility and control than those who use manual solutions or no solution at all. In fact, 90% of those with fully integrated PAM tools are confident they can identify specific threats from employees with privileged access.