Insufficient privileged access management (PAM) practices continue to be a critical challenge for many organizations despite significant risks of data breaches and security incidents, according to Sila and Ponemon Institute.
According to more than 650 North American respondents, 70 percent think it likely that privileged users within their organizations are accessing sensitive or confidential data for no discernible business need and more than half expect privilege user abuse to increase in next 12-24 months.
Interestingly, the primary reason users have unnecessary access to sensitive resources is that all users at their level are given privileged access, even if it is not required to perform their job assignment.
According to respondents, privileged access rights also regularly remain active even after a role change (30 percent). 62 percent of participants felt it likely that their organization assigns privileged access rights that go beyond an individual’s role or responsibilities.
This proliferation of access is emphasized with more than 75 percent of respondents having privileged access to three or more IT resources.
According to study participants, the biggest challenges organizations face in granting and enforcing privileged user access rights are:
- 57 percent – Can’t keep pace with the number of access change requests that come in on a regular basis
- 48 percent – Lack of a consistent approval process for access and a way to handle exceptions
- 43 percent – Burdensome process for business users requesting access
“Leaders need to step back and ask why individuals have the access they do, and how that aligns with the mission of their business – unnecessary privileged access puts data, employees, customers, and the overall business at risk,” said Tapan Shah, managing director at Sila.
Additional key findings from the report state:
- 52 percent of organizations do not believe they have the capabilities to effectively monitor privileged user activities
- Over 70 percent of respondents believe that greater automation of access management processes would be the biggest benefit to their organization’s overall identity and access management security posture
- 60 percent are not confident that their organization has enterprise-wide visibility for privileged user access or can determine if these users are compliant with policies
- Why? 45 percent of those with low confidence state that they can’t create a unified view of privileged access across the enterprise and 29 percent say they can’t keep up with the changes occurring to the organization’s IT resources
“With organizations facing a multitude of threats on a daily basis and as the risks related to PAM continue getting worse, this year’s survey shows that overall progress toward effective PAM implementation continues to stagnate in many areas,” said Dr. Larry Ponemon of the Ponemon Institute.
“The status quo is not secure. Business and IT leaders need to look beyond simple tool integration and a ‘check the box’ mentality solely driven by compliance demands. Organizations take a big risk by not properly investing in effective PAM strategies that not only promote security, but propel business success.”