Privileged accounts create 'gaping hole' for IT security
The potential abuse of privileged accounts in the current financial environment is a gaping hole in company security.
Mark Fullbrook, director of the UK and Ireland at Cyber-Ark, claimed that with companies either downsizing their IT staff or asking them to accept pay cuts, this is more of a risk than ever before.
Fullbrook claimed that the risk is that these accounts are, in the vast majority of cases, completely generic and staff will use the same login and password for many systems. This means that there is no audit trail and as there are so many of these accounts, many companies no longer bother to change the passwords with any kind of regularity.
“The potential of insider threat is the number one risk within today's enterprise, and within any enterprise the most technically aware staff are the IT staff themselves. Knowing this, most companies still spend more on stopping John in sales or Caroline in accounts from accessing Facebook or an instant messaging application than they do on preventing the misuse of these highly sensitive privileged accounts”, said Fullbrook.
Recent statistics from Verizon stated that 57 per cent of breaches surveyed over a four-year period were committed by either an internal user or a business partner who had access to systems. It further stated that in the case of insider abuse, over 50 per cent of the breaches involved IT staff.
Asking its own IT staff whether they had ever used a privileged password to access information that was not relevant to their role, an average 33 per cent of Cyber-Ark responded saying that they had. When asked if they would consider taking a form of sensitive data from their present employer if they ever left, over 85 per cent said they would.
Fullbrook said: “When I hear of companies that have not outlined a solution or strategy to deal with privileged accounts I liken it to building a prison with a huge tunnel to the outside. You can spend whatever you want on guards, fences, cameras and locks, but if you don't guard the tunnel, you may as well not bother.
“Implementing a solution to safeguard against this type of threat is the only way forward and whether you decide to invest in a manual process or an automated vendor-based product, you should ensure that your solution provides a safe and reliable place to store passwords, you have the means to change passwords as regularly as possible and make it as easy as it can be for your users to go about their daily tasks.”