Earlier this week, the UK's National Cyber Security Centre (NCSC) along with the FBI and the US Department of Homeland Security (DHS) issued a warning about malicious cyber-activity carried out by the Russian government on government and private-sector organisations, critical infrastructure providers, and ISPs in both countries.
Earlier, the National Cyber Security Centre also trained guns at North Korea for backing cyber-attacks on organisations based in the UK, including the WannaCry ransomware attack that impacted two-thirds of all NHS trusts.
Even though the threat posed by nation-backed hacker groups and those carrying out malicious cyber-activity for financial gain require serious attention both from governments and targeted organisations, the new 2018 Privileged Access Threat Report released by security firm Bomgar has highlighted that to prevent data breaches and reputational loss, organisations need to look within and fix their own flaws first.
The report has revealed serious gaps in the visibility and control that IT departments in the US and Europe have over employees, contractors, and third-party vendors with privileged access to their IT networks.
A survey of IT professionals at organisations in both regions revealed that less than 35 percent of them are fully confident about their ability to identify threats from employees with privileged access, and one in every three of them do not spend sufficient time monitoring third-party vendor access.
As far as tackling the insider threat is concerned, organisations are clearly not doing enough to prevent instances of unauthorised access, sharing of passwords, sharing of sensitive files, or the handling of corporate secrets.
Bomgar's survey revealed that while administrative passwords are freely shared between employees at 64 percent of organisations, such organisations also know that half of their employees are sharing passwords, 57 percent of employees are writing down passwords, 53 percent are sending files to personal email accounts, and 56 percent are downloading data onto external memory drives.
It, therefore, comes as no surprise that in the UK alone, 59 percent of organisations have possibly or definitely suffered an insider-related breach in the last year and 64 percent of organisations have possibly or definitely suffered a breach due to third-party access.
What is more concerning is that instances of password sharing and writing down of passwords have, in fact, risen in frequency compared to the previous year. For example, the percentage of organisations who cited writing down of passwords as a risk grew from 55 percent in 2017 to 65 percent this year. Similarly, password sharing between employees grew from 46 percent to 54 percent in the same period.
However, organisations that had taken steps to reduce such risks via privileged identity and access management (PAM) solutions experienced less severe security breaches and displayed better visibility and control than those who used manual solutions or no solution at all.
“As the vendor ecosystem grows, and employees are granted more trust, organisations need to accept that the way to mitigate risks is by managing privileged accounts through technology and automated processes that not only save time, but also provide visibility across the network,” said Matt Dircks, CEO of Bomgar.
“By implementing cyber-security policies and solutions that also speed business performance, versus putting roadblocks in users' way, organisations can begin to seriously tackle the privileged access problem."
Commenting on Bomgar's findings, Chris Day, chief cyber-security officer of Cyxtera, told SC Magazine UK that to reduce risks emanating from insider or third party access to critical systems, organisations must implement a zero-trust policy and augment outdated solutions like VPNs, NACs and firewalls with newer approaches like a software-defined perimeter (SDP) as these two approaches can significantly lower overall risk.
"Zero-Trust essential says “trust no one,” including employees and vendors. Implementing a zero-trust programme requires organisations to rethink their security architecture. New technology approaches, like a software-defined perimeter (SDP), provides a way to enable zero-trust by addressing the issue of over-privileged access head-on. Gone are the days when we can provide unfettered access to network credentials based on the user providing a password," he said.
Paul Edon, director at Tripwire, told SC Magazine UK that since humans are the weakest link in the cyber-security chain, organisations must have adequate security measures in place to protect their data.
"Ensuring that each individual within the workforce has only the access necessary to do their job can help reduce the risk of a data leak occurring in this manner. However, no organisation is immune to insider threats which is why having multiple layers of security is vital to protect the data that matters.
"With GDPR less than a month away, it is important to understand that the fines imposed for GDPR noncompliance could lead to some organisations facing huge fines and possible bankruptcy, especially if the breach is the result of corporate negligence," he added.