Most IT decision makers are not prioritizing Privileged Access Management (PAM) practices and solutions, despite knowing privileged credential abuse is involved in almost three out of every four breaches, according to Centrify.
The survey of 1,000 IT decision makers evenly split between the U.S. and U.K. found that, of those whose organizations have experienced a breach, 74 percent acknowledged it involved access to a privileged account. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials.
However, despite being aware that they’ve been breached, most companies are still extremely immature in their PAM journey, and are granting too much trust and privilege. More importantly, they are not taking even the simplest measures to reduce risk and secure access to sensitive data and critical infrastructure. For example:
- 52 percent of respondents do not have a password vault
- 65 percent are still sharing root or privileged access to systems and data at least somewhat often
- 63 percent indicate their companies usually take more than one day to shut off privileged access for employees who leave the company
- 21 percent still have not implemented Multi-Factor Authentication (MFA) for privileged administrative access.
“Forrester had already estimated that privileged credential abuse was the leading attack vector, but now we have the empirical research to back it up,” said Tim Steinkopf, CEO of Centrify. “What’s alarming is that most organizations aren’t taking the most basic steps to reduce their risk of being breached. It’s not surprising that Forrester has found 66 percent of companies have been breached five or more times. It’s well past time to secure privileged access with a Zero Trust approach, and many organizations can significantly harden their security posture with low-hanging fruit like a password vault and MFA.”
The survey also revealed that, generally, respondents in the U.K. are behind their U.S. counterparts when it comes to securely managing privileged access. Forty-four percent of U.K. IT decision makers surveyed were not positive what Privileged Access Management is, and 60 percent do not have a password vault. This also affects their confidence in the ability to secure their organizations, as only 36 percent of U.K. respondents are “very confident” in their company’s current IT security software compared to 65 percent of U.S. respondents.
IT practitioners should consider that critical and fundamental security controls such as PAM are enablers for Digital Transformation, which was the top choice listed by respondents when asked which projects they’d prefer to work on. Industry research firm Gartner predicted Privileged Access Management (PAM) to be the second-fastest growing segment for information security and risk management spending worldwide in 2019. PAM was also named a Top 10 security project for 2019.
“Centrify believes that reason for this increased prioritization and spending on PAM is the increasingly-modern threatscape that security professionals are facing,” Steinkopf continued. “Today’s environment is much different than when all privileged access was constrained to systems and resources inside the network. Privileged access now not only covers infrastructure, databases and network devices, but is extended to cloud environments, Big Data, DevOps, containers and more.”
Indeed, the survey found that respondents are not controlling privileged access to these modern use cases, including:
- 45 percent are not securing public and private cloud workloads with privileged access controls
- 58 percent are not securing Big Data projects with privileged access controls
- 68 percent are not securing network devices like hubs, switches and routers with privileged access controls
- 72 percent are not securing containers with privileged access controls.