Story image

70% of firms would fail a privileged account management audit

15 Mar 18

Organisations may consider privileged account management an important part of their cybersecurity, however in reality many will still fail to protect and secure privileged accounts, a new study from Thycotic claims.

Out of 500 organisations worldwide, 60% state they are required to comply with regulations about privilege credential access, but 70% would fail an access controls audit. 80% consider privileged account management (PAM) security a high priority.

“While most organisations acknowledge the important role privileged credential access plays in their cybersecurity posture, our report finds that most are actually failing to protect and secure their privileged accounts,” comments Thycotic’s chief security scientist Joseph Carson.

The State of PAM Risk and Compliance report highlights that PAM is a required compliance issue driven by auditors and controllers.

According to the report, privileged access comprises “Access to computers, networks and network devices, software applications, digital documents, and other digital assets that upper management, IT administrators, and service account users work with daily. Access to privileged accounts allows more rights and permissions than those given to standard business users”.

The growth in PAM is also driven by greater awareness of threats targeted privileged accounts. Thycotic says criminals are targeting employees ‘at a higher rate than ever before’.

“Protecting access to privileged credentials, the preferred target of cybercriminals and malicious insiders, is rapidly evolving as a must-have compliance requirement,” Carson continues.

The report analysed areas including PAM policies, processes and controls. It also calls attention to how third party contractors are generally treated as internal employees when it comes to access controls.

“Organisations should ensure that security access controls for vendors or contractors are much more rigorous since they do not have full control over the security behaviours of third parties,” the report states.

Other highlights from the report:

  • 73% of organisations fail to require multi-factor authentication with privileged accounts
  • 64% of organisations fail to fully audit privileged accounts
  • 51% fail to use a secure logon process for privileged accounts
  • 70% of organisations fail to fully discover privileged accounts---and 40% do nothing at all to discover these accounts

Thycotic suggests establishing a lifecycle approach to PAM that flows through the following stages:

1. Understanding the need for PAM among executive and IT staff

2. Identifying privileged accounts across all systems

3. Managing and protecting access to privileged accounts and restricting their use

4. Monitoring privileged account use on a continuous basis

5. Detecting anomalies in privileged account use indicating potential fraudulent activities

6. Responding to privileged account suspected compromise immediately and with targeted actions 7. Review and report to continuously improve PAM access controls.

The tech that helped the first woman to sail around Australia
Lisa Blair used devices from supplied by Pivotel to aid her in becoming the first woman to circumnavigate Australia non-stop.
Why there will be a battle for the cloud in 2019
Cloud providers such as AWS, Azure, and Google will likely find themselves in a mad scramble to gain additional enterprise customers.
Mercury Energy sells smart meter business for $270m
“Metrix’s large installed meter base, deep customer relationships and innovation platform, make this a natural acquisition."
IDC: Manufacturing, retail/wholesale biggest cloud spenders
"Industry cloud growth rates will continue to accelerate over the next three years, which is very unusual for multi-billion-dollar markets,”
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Hands-on review: The Logitech R500 laser presentation remote
With a clever ergonomic design, you’ll never have to glance at the device, unless you deliberately look to use the built-in laser pointer to emphasise your presentation.
Review: Should you buy the Fitbit Charge 3?
If you are new the to the world of wearables you might be wondering if Fitbit’s new offering is a good first step. Maybe I can help with that.
The disaster recovery-as-a-service market is on the rise
As time progresses and advanced technologies are implemented, the demand for disaster recovery-as-a-service is also expected to increase.