Major Security Gap Between Businesses Remains Wide

Internet security

Edward GatelyA new study by cybersecurity company BeyondTrust demonstrates a “widening gulf” between organizations that adhere to best practices for privileged access management.

BeyondTrust's Scott LangThe Privilege Benchmarking Study asked more than 500 senior IT, IS, legal and compliance experts about their privileged-access management practices. Their responses were divided into two tiers based on industry best practices, with top-tier companies “distinguishing themselves as far better prepared to mitigate the impact from data breaches,” BeyondTrust said.

Scott Lang, BeyondTrust’s director of privilege strategies, tells Channel Partners that, considering all the high-profile breaches involving privileged credentials, “I would not have expected the gulf between those who are doing it right and those who aren’t doing enough to be so wide still.”

The biggest takeaway from the study for the channel is that “your customers aren’t as mature in their privileged-access management practices as you would have thought considering all of the high-profile breaches involving abused or misused privileges,” he said.{ad}

“Only 14 percent of lower-tier respondents are regularly cycling their passwords, for example,” Lang said. “And only 3 percent have the ability to terminate a privileged session in real-time. As a channel partner, benchmark what your best customers are doing in their privileged access management practices, and replicate that as a baseline for the laggards.”

With 63 percent (2016 Verizon DBIR) of confirmed data breaches involving weak, default or stolen passwords, it’s never been more important to “apply discipline and accountability over enterprise credentials,” according to the study.

Top-tier companies were much more likely to have a centralized password management policy — 92 percent of them do, in contrast with just 25 percent of bottom-tier organizations.

Password cycling is also much more common among top-tier businesses, with 76 percent frequently changing passwords. Credential management formed another point of distinction, with 73 percent identifying themselves as efficient in this area, compared to 36 percent of the bottom-tier companies.

When it comes to real-time session monitoring and restriction of access, 71 percent of top-tier companies can monitor privileged user sessions, and 88 percent can restrict access with a measure of granularity. Among bottom-tiers, 49 percent can monitor sessions, and only 37 percent have granular capabilities to restrict access.

Among top-tier organizations, nine out of 10 grant privileges to …


apps rather than users. Among bottom-tier companies, this falls to 46 percent.

While it’s vital to evaluate the risks posed by individual apps and systems, only 6 percent of bottom-tier companies have tools that provide this capability – and 52 percent “just know” what the risks are, according to the study. Meanwhile, 57 percent of top-tier companies can make these assessments.

Top-tier companies also are more likely to actually conduct vulnerability assessments; 91 percent do, compared to just 20 percent of bottom-tier organizations.

“There are some significant opportunities for the channel that are illustrated from data in the report,” Lang said. “First, only 9 percent of the lower-tier report having an enterprise solution in place for privileged access, and a third of them have nothing at all! This is a tremendous opportunity for channel partners to penetrate the laggards who haven’t deployed such a solution. Further, we’ve seen less mature organizations that do deploy PAM tools do so in patchworks of products. The study shows, however, that there is value in deploying a much more holistic solution that addresses multiple PAM pain points, and is extensible to other parts of the security or IT estate. And that is ideally delivered by channel partners.”

A second opportunity is organizations need help understanding where their biggest privilege risks are, he said.

“Channel partners should look to engage with their customers to help them understand privilege risks, score risky applications and systems, and prioritize,” Lang said.

The study also found that despite a high level of awareness of the threat, federal-government agencies leave themselves open to attack. Some 72 percent of government responders believe that there would be a high risk to general business and mission information if organizations lacked proper access control for privileged users.

The federal government has implemented mandates to address various attack vectors within agency networks; yet, respondents also report that 20 percent of users have more privileges than they need, according to the study. These results highlight an opportunity for improvement in adopting processes and technologies to further secure privileged access in federal agencies.

“This study confirms one of the unfortunate truths about data breaches today — namely, that many of them are preventable using relatively simple means,” said Kevin Hickey, BeyondTrust’s president and CEO. “Companies that employ best practices and use practical solutions to restrict access and monitor conditions are far better equipped to handle today’s threat landscape.”

One comment

  1. Avatar Bobby Gibb July 20, 2018 @ 10:12 am

    One of the many things about U.S. Foreign Policies that scares me and is stupid while turning most of the World against the U.S. is that it would obviously create a huge problem of other Countries wanting to Hack into U.S. Computer Systems.

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 51736