From Target to Equifax, major public-facing companies have fallen victim to unauthorized individuals gaining access to sensitive data. Although news of data breaches conjures images of cunning hackers surreptitiously gaining access to secure data, a recent survey from privileged access management (PAM) company Centrify suggests that most breaches stem from poorly secured accounts.
According to the survey conducted by FINN Partners, which polled 1,000 information technology professionals, 74 percent of respondents whose companies had been breached admitted those incidents involved access to a privileged account. The survey's respondents were evenly split between the United States and the United Kingdom.
Editor's Note: Looking for an access control system for your business? Click the Compare Quotes button below to have our sister site, Business.com, connect you with vendors that can help.
Centrify CEO Tim Steinkopf said the study "was empirical research" that backed up other data provided by Forrester Research, which estimated that "80 percent of security breaches involve privileged access abuse, and 66 percent of companies have been breached an average of five or more times."
"What's alarming is that the survey reveals many organizations, armed with the knowledge that they have been breached before, are doing too little to secure privileged access," he said. "IT teams need to be taking their privileged access management much more seriously and prioritizing basic PAM strategies, like vaults and MFA, while reducing shared passwords."
Companies give employees too much privileged access
While the survey shows that companies are aware of previous breaches and know they could still fall victim to more incidents, officials said the data also suggests that most companies are "still extremely immature" in their PAM efforts and were "granting too much trust and privilege."
The survey revealed that 52 percent of respondents did not use a password vault. It also revealed that 65 percent of respondents were "still sharing root or privileged access to systems and data at least somewhat often" and that 63 percent take more than 24 hours to shut off privileged access for employees who leave the company.
"It's not surprising that Forrester has found 66 percent of companies have been breached five or more times," Steinkopf said. "It's well past time to secure privileged access with a zero trust approach, and many organizations can significantly harden their security posture with low-hanging fruit like a password vault and multifactor authentication."
Even though companies can implement password vaults and multifactor authentication, Centrify's data found that respondents were more interested in digital transformation (40 percent) and endpoint security projects (37 percent) than privileged access management (28 percent).
Furthermore, the survey reported that respondents in the U.K. are not as up to date with PAM as their American colleagues. Approximately 44 percent of U.K. survey respondents were unsure what privileged access management was, and 60 percent did not have a password vault. Conversely, 26 percent of American respondents were unsure what PAM was, and 45 percent did not have a password vault set up.
The survey also suggested only 36 percent of U.K. respondents were "very confident" in their company's cybersecurity efforts, compared to 65 percent of U.S. respondents.
Companies need tighter access control
When it comes to controlling access to a company's cloud workloads, big data projects and network devices, the survey suggests that respondents in both countries were not doing enough to address modern security concerns.
"Today's environment is much different than when all privileged access was constrained to systems and resources inside the network," Steinkopf said. "Privileged access now not only covers infrastructure, databases and network devices but is extended to cloud environments, big data, DevOps, containers and more."
According to the study, 45 percent of respondents are not securing public and private workloads, 58 percent are not securing big data projects, 68 percent are not securing networking devices, and 72 percent were not securing containers.
Centrify suggests that organizations should "consider a cloud-ready 'zero trust privilege' approach that helps enterprises grant the least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment."
By adopting a zero trust mindset, Steinkopf said that "organizations can further reduce their risk of becoming the next data breach victim."